[jboss-jira] [JBoss JIRA] (WFLY-7698) Elytron auth method misconfiguration not logged
Martin Choma (JIRA)
issues at jboss.org
Tue Nov 29 10:19:02 EST 2016
[ https://issues.jboss.org/browse/WFLY-7698?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Martin Choma updated WFLY-7698:
-------------------------------
Description:
When deployment is configured to be secured with DIGEST, but {{http-authentication-factory}} does not list DIGEST mechanism, user is not informed about misconfiguration. Even when TRACE logging is turned on. When user tries to access app 403 http code is returned and Forbidden is shown in browser. I would expect browser dialog to appear to allow user provide credentials (401 http status code).
{code:title=web.xml}
<login-config>
<auth-method>DIGEST</auth-method>
<realm-name>ApplicaitonRealm</realm-name>
</login-config>
{code}
{code:title=standalone-elytron.xml}
<http-authentication-factory name="application-http-authentication" http-server-mechanism-factory="global" security-domain="ApplicationDomain">
<mechanism-configuration>
<mechanism mechanism-name="BASIC">
<mechanism-realm realm-name="Application Realm"/>
</mechanism>
<mechanism mechanism-name="FORM"/>
</mechanism-configuration>
</http-authentication-factory>
{code}
This applies globally to all authentication mechanisms, not only DIGEST.
Could elytron handle misconfiguration:
* either fail during deploying application as deployment requirement can't be satisfy
* or provide reasonable elytron defaults of missing mechanism configuration.
was:
When deployment is configured to be secured with DIGEST, but {{http-authentication-factory}} does not list DIGEST mechanism, user is not informed about misconfiguration. Even when TRACE logging is turned on. When user tries to access app 403 http code is returned and Forbidden is shown in browser. I would expect browser dialog to appear to allow user provide credentials (401 http status code).
{code:title=web.xml}
<login-config>
<auth-method>DIGEST</auth-method>
<realm-name>ApplicaitonRealm</realm-name>
</login-config>
{code}
{code:title=standalone-elytron.xml}
<http-authentication-factory name="application-http-authentication" http-server-mechanism-factory="global" security-domain="ApplicationDomain">
<mechanism-configuration>
<mechanism mechanism-name="BASIC">
<mechanism-realm realm-name="Application Realm"/>
</mechanism>
<mechanism mechanism-name="FORM"/>
</mechanism-configuration>
</http-authentication-factory>
{code}
This applies globally to all authentication mechanisms, not only DIGEST.
Could misconfiguration be logged :
* Either during deploying application.
* or during authentication attempt
> Elytron auth method misconfiguration not logged
> -----------------------------------------------
>
> Key: WFLY-7698
> URL: https://issues.jboss.org/browse/WFLY-7698
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Reporter: Martin Choma
> Labels: user_experience
>
> When deployment is configured to be secured with DIGEST, but {{http-authentication-factory}} does not list DIGEST mechanism, user is not informed about misconfiguration. Even when TRACE logging is turned on. When user tries to access app 403 http code is returned and Forbidden is shown in browser. I would expect browser dialog to appear to allow user provide credentials (401 http status code).
> {code:title=web.xml}
> <login-config>
> <auth-method>DIGEST</auth-method>
> <realm-name>ApplicaitonRealm</realm-name>
> </login-config>
> {code}
> {code:title=standalone-elytron.xml}
> <http-authentication-factory name="application-http-authentication" http-server-mechanism-factory="global" security-domain="ApplicationDomain">
> <mechanism-configuration>
> <mechanism mechanism-name="BASIC">
> <mechanism-realm realm-name="Application Realm"/>
> </mechanism>
> <mechanism mechanism-name="FORM"/>
> </mechanism-configuration>
> </http-authentication-factory>
> {code}
> This applies globally to all authentication mechanisms, not only DIGEST.
> Could elytron handle misconfiguration:
> * either fail during deploying application as deployment requirement can't be satisfy
> * or provide reasonable elytron defaults of missing mechanism configuration.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list