[jboss-jira] [JBoss JIRA] (WFLY-3590) Option to disable processing of authentication tokens on unsecured resources.

Tue Jul 10 17:14:00 EDT 2018

    [ https://issues.jboss.org/browse/WFLY-3590?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13603305#comment-13603305 ] 

Darran Lofthouse commented on WFLY-3590:
----------------------------------------

[~david.everly] Please feel free to open a new Jira issue if you feel this needs addressing with an Elytron based configuration.

> Option to disable processing of authentication tokens on unsecured resources.
> -----------------------------------------------------------------------------
>
>                 Key: WFLY-3590
>                 URL: https://issues.jboss.org/browse/WFLY-3590
>             Project: WildFly
>          Issue Type: Feature Request
>          Components: Web (Undertow)
>    Affects Versions: 8.1.0.Final
>         Environment: Oracle Java 1.8.0_05, Ubuntu 14.04
>            Reporter: Harald Wellmann
>            Assignee: Stuart Douglas
>             Fix For: 10.0.0.Alpha3
>
>
> WildFly sends a basic authentication challenge and denies access when it shouldn't in the following simple setup:
> {code:xml}
>     <login-config>
>         <auth-method>BASIC</auth-method>
>         <realm-name>test</realm-name>
>     </login-config>
>     
>     <security-constraint>
>         <web-resource-collection>
>             <web-resource-name>all</web-resource-name>
>             <url-pattern>/hello</url-pattern>            
>         </web-resource-collection>
>         <auth-constraint>        
>             <role-name>USER</role-name>
>         </auth-constraint>       
>     </security-constraint>
>     
>     <security-role>
>         <role-name>USER</role-name>
>     </security-role>
> {code}
> {{/hello}} is the only protected URL (mapped to a servlet), other URLs like {{/index.html}} are public.
> When GETting /index.html with an (unneeded) basic authentication header, access is denied:
> {noformat}
> $ curl -v -u foo:bar http://localhost:8080/auth-basic/index.html
> * Hostname was NOT found in DNS cache
> *   Trying 127.0.0.1...
> * Connected to localhost (127.0.0.1) port 8080 (#0)
> * Server auth using Basic with user 'foo'
> > GET /auth-basic/index.html HTTP/1.1
> > Authorization: Basic Zm9vOmJhcg==
> > User-Agent: curl/7.35.0
> > Host: localhost:8080
> > Accept: */*
> > 
> < HTTP/1.1 401 Unauthorized
> < Connection: keep-alive
> * Authentication problem. Ignoring this.
> < WWW-Authenticate: Basic realm="test"
> < X-Powered-By: Undertow/1
> * Server WildFly/8 is not blacklisted
> < Server: WildFly/8
> < Content-Type: text/html;charset=ISO-8859-1
> < Content-Length: 71
> < Date: Mon, 07 Jul 2014 17:28:25 GMT
> < 
> * Connection #0 to host localhost left intact
> <html><head><title>Error</title></head><body>Unauthorized</body></html>
> {noformat}

--
This message was sent by Atlassian JIRA
(v7.5.0#75005)