[jboss-jira] [JBoss JIRA] (WFLY-3590) Option to disable processing of authentication tokens on unsecured resources.

Tue Jul 10 13:59:01 EDT 2018

    [ https://issues.jboss.org/browse/WFLY-3590?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13603255#comment-13603255 ] 

David Everly commented on WFLY-3590:
------------------------------------

This is not working under wildfly 13 when using elytron:

bin/jboss-cli.sh --file=docs/examples/enable-elytron.cli

...then...

bin/standalone.sh

...then...

bin/jboss-cli.sh
connect
/subsystem=undertow/servlet-container=default:write-attribute(name=proactive-authentication, value=false)

Then restart and try some sample.war servlet that you copy into standalone/deployments/.

curl -u foo:bar http://localhost:8080/sample/

> Option to disable processing of authentication tokens on unsecured resources.
> -----------------------------------------------------------------------------
>
>                 Key: WFLY-3590
>                 URL: https://issues.jboss.org/browse/WFLY-3590
>             Project: WildFly
>          Issue Type: Feature Request
>          Components: Web (Undertow)
>    Affects Versions: 8.1.0.Final
>         Environment: Oracle Java 1.8.0_05, Ubuntu 14.04
>            Reporter: Harald Wellmann
>            Assignee: Stuart Douglas
>             Fix For: 10.0.0.Alpha3
>
>
> WildFly sends a basic authentication challenge and denies access when it shouldn't in the following simple setup:
> {code:xml}
>     <login-config>
>         <auth-method>BASIC</auth-method>
>         <realm-name>test</realm-name>
>     </login-config>
>     
>     <security-constraint>
>         <web-resource-collection>
>             <web-resource-name>all</web-resource-name>
>             <url-pattern>/hello</url-pattern>            
>         </web-resource-collection>
>         <auth-constraint>        
>             <role-name>USER</role-name>
>         </auth-constraint>       
>     </security-constraint>
>     
>     <security-role>
>         <role-name>USER</role-name>
>     </security-role>
> {code}
> {{/hello}} is the only protected URL (mapped to a servlet), other URLs like {{/index.html}} are public.
> When GETting /index.html with an (unneeded) basic authentication header, access is denied:
> {noformat}
> $ curl -v -u foo:bar http://localhost:8080/auth-basic/index.html
> * Hostname was NOT found in DNS cache
> *   Trying 127.0.0.1...
> * Connected to localhost (127.0.0.1) port 8080 (#0)
> * Server auth using Basic with user 'foo'
> > GET /auth-basic/index.html HTTP/1.1
> > Authorization: Basic Zm9vOmJhcg==
> > User-Agent: curl/7.35.0
> > Host: localhost:8080
> > Accept: */*
> > 
> < HTTP/1.1 401 Unauthorized
> < Connection: keep-alive
> * Authentication problem. Ignoring this.
> < WWW-Authenticate: Basic realm="test"
> < X-Powered-By: Undertow/1
> * Server WildFly/8 is not blacklisted
> < Server: WildFly/8
> < Content-Type: text/html;charset=ISO-8859-1
> < Content-Length: 71
> < Date: Mon, 07 Jul 2014 17:28:25 GMT
> < 
> * Connection #0 to host localhost left intact
> <html><head><title>Error</title></head><body>Unauthorized</body></html>
> {noformat}

--
This message was sent by Atlassian JIRA
(v7.5.0#75005)