[jboss-jira] [JBoss JIRA] (WFWIP-328) HTTP External Security: Both unauthorized and unauthenticated HTTP requests return 403
Darran Lofthouse (Jira)
issues at jboss.org
Tue Aug 11 08:03:00 EDT 2020
[ https://issues.redhat.com/browse/WFWIP-328?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14380437#comment-14380437 ]
Darran Lofthouse commented on WFWIP-328:
----------------------------------------
I have just double checked, the defaulting to 403 is a decision we previously made and is not a part of this RFE.
If authentication is required and no authentication succeeds and no authentication mechanism is able to issue a response we then return 403. The EXTERNAL mechanism is only using information on the incoming request but has no ability to challenge by itself.
> HTTP External Security: Both unauthorized and unauthenticated HTTP requests return 403
> --------------------------------------------------------------------------------------
>
> Key: WFWIP-328
> URL: https://issues.redhat.com/browse/WFWIP-328
> Project: WildFly WIP
> Issue Type: Bug
> Components: Security
> Reporter: Marek Kopecky
> Assignee: Ashley Abdel-Sayed
> Priority: Critical
>
> Related RFE: EAP7-1323 - HTTP External Security Not Supported by Elytron
> Both unauthorized and unauthenticated HTTP requests return 403.
> Unauthorized user should receive 403 HTTP response, but unauthenticated user should receive 401 HTTP code
> I check it on WebSecurityExternalAuthTestCase (from wf-ts) and my new test for wrong authentication is failing (see [this commit|https://github.com/marekkopecky/wildfly/commit/959341c07e3ba5eaaf4c003697452366a740757e])
> This is not a regression against legacy security
> Related RFC: [RFC-7235|https://tools.ietf.org/html/rfc7235]
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
More information about the jboss-jira
mailing list