[jboss-jira] [JBoss JIRA] (WFLY-4304) Servlet authentication kicked off when *not* a part of any security-constraint

[Darran Lofthouse (JIRA)]

     [ https://issues.jboss.org/browse/WFLY-4304?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Darran Lofthouse updated WFLY-4304:
-----------------------------------
    Fix Version/s: 11.0.0.Alpha1
                       (was: 10.0.0.CR2)


> Servlet authentication kicked off when *not* a part of any security-constraint
> ------------------------------------------------------------------------------
>
>                 Key: WFLY-4304
>                 URL: https://issues.jboss.org/browse/WFLY-4304
>             Project: WildFly
>          Issue Type: Bug
>    Affects Versions: 8.2.0.Final
>            Reporter: Brett Meyer
>            Assignee: Darran Lofthouse
>             Fix For: 11.0.0.Alpha1
>
>
> Artificer runs on Wildfly 8.2 and uses Keycloak for auth.  If our WAR contains a servlet that is *not* protected by a security-constraint in web.xml, Wildfly still attempts to authenticate the call (using Wireshark, I see the GET/POST get funneled through the Keycloak realm redirection) if basic auth credentials are in the header.  In a keycloak-dev thread this past Dec., [~bill.burke] suggested this was most likely an issue within Wildfly auth itself.
> A credentialed call on an un-protected servlet does sound like an edge case.  However, this came up possibly due to a secondary symptom:
> If I protect the servlet in web.xml, the call's Authorization header is stripped.  I'm not currently able to figure out exactly where that's occurring...



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)