Uploaded image for project: 'apiman (API Management)'
  1. apiman (API Management)
  2. APIMAN-1218

BASIC Auth Policy with Require Transport Security allows non-HTTPS traffic when using correct credentials

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • 1.2.8.Final, 1.2.x
    • 1.2.7.Final
    • Policy
    • None

      . Set user a:a
      . Set "Transport security required"
      . Use correct credentials
      . Access via non-HTTPS endpoint

      Result: You see an error but the backend is still hit and its response is still returned.

      curl http://a:a@localhost:8080/foo-bar/test/test/10
{"type":"Authentication","failureCode":10011,"responseCode":0,"message":"BASIC authentication failed.","headers":[{"WWW-Authenticate":"Basic realm=\"test-realm\""}]}{
  "method" : "GET",
  "resource" : "/services/echo",
  "uri" : "/services/echo",
  "headers" : {
    "Accept" : "*/*",
    "Connection" : "Keep-Alive",
    "User-Agent" : "curl/7.50.1",
    "Host" : "localhost:8080",
    "Accept-Encoding" : "gzip"
  },
  "bodyLength" : null,
  "bodySha1" : null,
  "counter" : 3
}

              msavy_jira Marc Savy (Inactive)
              msavy_jira Marc Savy (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: