Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-3590

Option to disable processing of authentication tokens on unsecured resources.

    Details

    • Type: Feature Request
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 8.1.0.Final
    • Fix Version/s: 10.0.0.Alpha3
    • Component/s: Web (Undertow)
    • Labels:
      None
    • Environment:

      Oracle Java 1.8.0_05, Ubuntu 14.04

      Description

      WildFly sends a basic authentication challenge and denies access when it shouldn't in the following simple setup:

          <login-config>
              <auth-method>BASIC</auth-method>
              <realm-name>test</realm-name>
          </login-config>
          
          <security-constraint>
              <web-resource-collection>
                  <web-resource-name>all</web-resource-name>
                  <url-pattern>/hello</url-pattern>            
              </web-resource-collection>
              <auth-constraint>        
                  <role-name>USER</role-name>
              </auth-constraint>       
          </security-constraint>
          
          <security-role>
              <role-name>USER</role-name>
          </security-role>
      

      /hello is the only protected URL (mapped to a servlet), other URLs like /index.html are public.

      When GETting /index.html with an (unneeded) basic authentication header, access is denied:

      $ curl -v -u foo:bar http://localhost:8080/auth-basic/index.html
      * Hostname was NOT found in DNS cache
      *   Trying 127.0.0.1...
      * Connected to localhost (127.0.0.1) port 8080 (#0)
      * Server auth using Basic with user 'foo'
      > GET /auth-basic/index.html HTTP/1.1
      > Authorization: Basic Zm9vOmJhcg==
      > User-Agent: curl/7.35.0
      > Host: localhost:8080
      > Accept: */*
      > 
      < HTTP/1.1 401 Unauthorized
      < Connection: keep-alive
      * Authentication problem. Ignoring this.
      < WWW-Authenticate: Basic realm="test"
      < X-Powered-By: Undertow/1
      * Server WildFly/8 is not blacklisted
      < Server: WildFly/8
      < Content-Type: text/html;charset=ISO-8859-1
      < Content-Length: 71
      < Date: Mon, 07 Jul 2014 17:28:25 GMT
      < 
      * Connection #0 to host localhost left intact
      <html><head><title>Error</title></head><body>Unauthorized</body></html>
      

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                swd847 Stuart Douglas
                Reporter:
                hwellmann.de Harald Wellmann
              • Votes:
                1 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: