[jboss-jira] [JBoss JIRA] (WFLY-4618) JASPIC authentication processed on unsecured ressources

Gernot Müller (JIRA) issues at jboss.org
Tue May 12 07:09:19 EDT 2015 

     [ https://issues.jboss.org/browse/WFLY-4618?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Gernot Müller updated WFLY-4618:
--------------------------------
    Description: 
When using JASPIC authentication in web-projects, then serving unsecured resources (like unsecured pages, css/js-resources) ends in calling configured JASPI auth-modules.

The problem is located in class JASPIAuthenticationMechanism (Undertow extension) where SecurityContext is never asked if the request has to be authenticated.

So JASPIC can't be used wor web-applications which consist of secured AND unsecured parts.

  was:
When using JASPIC authentication then in web-projects, then serving unsecured resources (like unsecured pages, css/js-resources) ends in calling configured JASPI auth-modules.

The problem is located in class JASPIAuthenticationMechanism (Undertow extension) where SecurityContext is never asked if the request has to be authenticated.

So JASPIC can't be used wor web-applications which consist of secured AND unsecured parts.



> JASPIC authentication processed on unsecured ressources
> -------------------------------------------------------
>
>                 Key: WFLY-4618
>                 URL: https://issues.jboss.org/browse/WFLY-4618
>             Project: WildFly
>          Issue Type: Bug
>          Components: Security, Web (JBoss Web), Web (Undertow)
>    Affects Versions: 8.2.0.Final, 9.0.0.CR1
>            Reporter: Gernot Müller
>            Assignee: Darran Lofthouse
>
> When using JASPIC authentication in web-projects, then serving unsecured resources (like unsecured pages, css/js-resources) ends in calling configured JASPI auth-modules.
> The problem is located in class JASPIAuthenticationMechanism (Undertow extension) where SecurityContext is never asked if the request has to be authenticated.
> So JASPIC can't be used wor web-applications which consist of secured AND unsecured parts.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

More information about the jboss-jira mailing list