[jboss-jira] [JBoss JIRA] (WFWIP-328) HTTP External Security: Both unauthorized and unauthenticated HTTP requests return 403
Darran Lofthouse (Jira)
issues at jboss.org
Tue Aug 11 07:01:00 EDT 2020
[ https://issues.redhat.com/browse/WFWIP-328?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14380286#comment-14380286 ]
Darran Lofthouse commented on WFWIP-328:
----------------------------------------
I think we should double check this one, a 401 also often implies a challenge but in this case the client can not respond. There may be an argument for 403 in this case as the client can not be informed of an action to correct this.
> HTTP External Security: Both unauthorized and unauthenticated HTTP requests return 403
> --------------------------------------------------------------------------------------
>
> Key: WFWIP-328
> URL: https://issues.redhat.com/browse/WFWIP-328
> Project: WildFly WIP
> Issue Type: Bug
> Components: Security
> Reporter: Marek Kopecky
> Assignee: Ashley Abdel-Sayed
> Priority: Critical
>
> Related RFE: EAP7-1323 - HTTP External Security Not Supported by Elytron
> Both unauthorized and unauthenticated HTTP requests return 403.
> Unauthorized user should receive 403 HTTP response, but unauthenticated user should receive 401 HTTP code
> I check it on WebSecurityExternalAuthTestCase (from wf-ts) and my new test for wrong authentication is failing (see [this commit|https://github.com/marekkopecky/wildfly/commit/959341c07e3ba5eaaf4c003697452366a740757e])
> This is not a regression against legacy security
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
More information about the jboss-jira
mailing list