[jboss-jira] [JBoss JIRA] (WFWIP-328) HTTP External Security: Both unauthorized and unauthenticated HTTP requests return 403

[Darran Lofthouse (Jira)]

    [ https://issues.redhat.com/browse/WFWIP-328?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14380399#comment-14380399 ] 

Darran Lofthouse commented on WFWIP-328:
----------------------------------------

In the case of external authentication it is not our place to be making the decision to prompt the client to authenticate, whatever is handling the front end should have already made that decision and prompted accordingly.

This WFWIP will only be reproducible where the front end has decided not to enforce authentication of the remote client.

> HTTP External Security: Both unauthorized and unauthenticated HTTP requests return 403
> --------------------------------------------------------------------------------------
>
>                 Key: WFWIP-328
>                 URL: https://issues.redhat.com/browse/WFWIP-328
>             Project: WildFly WIP
>          Issue Type: Bug
>          Components: Security
>            Reporter: Marek Kopecky
>            Assignee: Ashley Abdel-Sayed
>            Priority: Critical
>
> Related RFE: EAP7-1323 - HTTP External Security Not Supported by Elytron
> Both unauthorized and unauthenticated HTTP requests return 403.
> Unauthorized user should receive 403 HTTP response, but unauthenticated user should receive 401 HTTP code
> I check it on WebSecurityExternalAuthTestCase (from wf-ts) and my new test for wrong authentication is failing (see [this commit|https://github.com/marekkopecky/wildfly/commit/959341c07e3ba5eaaf4c003697452366a740757e])
> This is not a regression against legacy security
> Related RFC: [RFC-7235|https://tools.ietf.org/html/rfc7235]



--
This message was sent by Atlassian Jira
(v7.13.8#713008)