[jboss-jira] [JBoss JIRA] (WFWIP-154) Silent Basic let me access resource without credential

Fri Jan 4 09:24:00 EST 2019

Martin Choma created WFWIP-154:
----------------------------------

             Summary: Silent Basic let me access resource without credential
                 Key: WFWIP-154
                 URL: https://issues.jboss.org/browse/WFWIP-154
             Project: WildFly WIP
          Issue Type: Bug
          Components: Security
            Reporter: Martin Choma
            Assignee: Darran Lofthouse
         Attachments: FormMechTestCase-web.xml, SilentBasicMechTestCase-web.xml

I use this configuration in web.xml <auth-method>BASIC?silent=true,FORM</auth-method> and I get 200 + content of protected resource when I access resource without credentials.

If I use this configuration in web.xml <auth-method>BASIC?silent=true</auth-method> I get correctly empty content with 200 status code when I access without credentials. 

Zulip Chat 2019-01-04: https://wildfly.zulipchat.com/#narrow/stream/174178-eap/subject/EAP7-1154.20HTTP.20Basic.20Silent.20Operation

Test Commit: https://github.com/mchoma/wildfly/commit/e191c211c7e224f835c933c31829e59777aa4008

--
This message was sent by Atlassian Jira
(v7.12.1#712002)