-
Bug
-
Resolution: Obsolete
-
Major
-
None
-
8.2.0.Final
-
None
Artificer runs on Wildfly 8.2 and uses Keycloak for auth. If our WAR contains a servlet that is not protected by a security-constraint in web.xml, Wildfly still attempts to authenticate the call (using Wireshark, I see the GET/POST get funneled through the Keycloak realm redirection) if basic auth credentials are in the header. In a keycloak-dev thread this past Dec., bill.burke suggested this was most likely an issue within Wildfly auth itself.
A credentialed call on an un-protected servlet does sound like an edge case. However, this came up possibly due to a secondary symptom:
If I protect the servlet in web.xml, the call's Authorization header is stripped. I'm not currently able to figure out exactly where that's occurring...