Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-1014

Elytron auth method misconfiguration not logged

    XMLWordPrintable

Details

    • Hide
      1. ./standalone.sh -c standalone-elytron.xml
      2. deploy secured-webapp.war
      3. access localhost:8080/secured-webapp/index.jsp
      4. I expect browser dialog box appear to allow user provide credentials (401 http status code)
      5. But 403 http code is returned and Forbidden is shown in browser
      Show
      ./standalone.sh -c standalone-elytron.xml deploy secured-webapp.war access localhost:8080/secured-webapp/index.jsp I expect browser dialog box appear to allow user provide credentials (401 http status code) But 403 http code is returned and Forbidden is shown in browser

    Description

      When deployment is configured to be secured with DIGEST, but http-authentication-factory does not list DIGEST mechanism, user is not informed about misconfiguration. Even when TRACE logging is turned on. When user tries to access app 403 http code is returned and Forbidden is shown in browser. I would expect browser dialog to appear to allow user provide credentials (401 http status code).

      web.xml
        <login-config>
      <auth-method>DIGEST</auth-method>
      <realm-name>ApplicaitonRealm</realm-name>
  </login-config>
      standalone-elytron.xml
      <http-authentication-factory name="application-http-authentication" http-server-mechanism-factory="global" security-domain="ApplicationDomain">
    <mechanism-configuration>
        <mechanism mechanism-name="BASIC">
            <mechanism-realm realm-name="Application Realm"/>
        </mechanism>
        <mechanism mechanism-name="FORM"/>
    </mechanism-configuration>
</http-authentication-factory>

      This applies globally to all authentication mechanisms, not only DIGEST.

      Could elytron handle misconfiguration:

      • either fail during deploying application as deployment requirement can't be satisfy
      • or provide reasonable elytron defaults of missing mechanism configuration.

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-7563 Elytron auth method misconfiguration not handled

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Verified

          Activity

            People

              jkalina@redhat.com Jan Kalina (Inactive)
              mchoma@redhat.com Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: