[jboss-jira] [JBoss JIRA] (WFWIP-328) HTTP External Security: Both unauthorized and unauthenticated HTTP requests return 403
Marek Kopecky (Jira)
issues at jboss.org
Tue Aug 11 08:34:00 EDT 2020
[ https://issues.redhat.com/browse/WFWIP-328?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14380544#comment-14380544 ]
Marek Kopecky commented on WFWIP-328:
-------------------------------------
[~dlofthouse] Thank you, your reasoning makes sense, so I'm closing this jira.
> HTTP External Security: Both unauthorized and unauthenticated HTTP requests return 403
> --------------------------------------------------------------------------------------
>
> Key: WFWIP-328
> URL: https://issues.redhat.com/browse/WFWIP-328
> Project: WildFly WIP
> Issue Type: Bug
> Components: Security
> Reporter: Marek Kopecky
> Assignee: Ashley Abdel-Sayed
> Priority: Critical
>
> Related RFE: EAP7-1323 - HTTP External Security Not Supported by Elytron
> Both unauthorized and unauthenticated HTTP requests return 403.
> Unauthorized user should receive 403 HTTP response, but unauthenticated user should receive 401 HTTP code
> I check it on WebSecurityExternalAuthTestCase (from wf-ts) and my new test for wrong authentication is failing (see [this commit|https://github.com/marekkopecky/wildfly/commit/959341c07e3ba5eaaf4c003697452366a740757e])
> This is not a regression against legacy security
> Related RFC: [RFC-7235|https://tools.ietf.org/html/rfc7235]
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
More information about the jboss-jira
mailing list