Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-2487

Misplaced call to isAutodetectedBearerOnly() in class RequestAuthenticator

XMLWordPrintable

    • Hide

      1) Setup a simple JSF project with a BUTTON with AJAX.

      2) Change "autodetect-bearer-only" in "WEB-INF/oidc.json" to "false".

      3) The button will work (POST: Response with HTTP code 200).

      4) Change "autodetect-bearer-only" in "WEB-INF/oidc.json" to "true".

      5) The button will not work (POST: Response with HTTP code 401).

      Show
      1) Setup a simple JSF project with a BUTTON with AJAX. 2) Change "autodetect-bearer-only" in "WEB-INF/oidc.json" to "false". 3) The button will work (POST: Response with HTTP code 200). 4) Change "autodetect-bearer-only" in "WEB-INF/oidc.json" to "true". 5) The button will not work (POST: Response with HTTP code 401).

      Method isAutodetectedBearerOnly() should be invoked after checking cached token.

      Invoking isAutodetectedBearerOnly() early will break every AJAX request that relies on HTTP session. A clear example is JSF Partial Request, it will never send the header "Authorization" neither the query parameter "auth" by design, it relies in HTTP session. During the initial load of view the user was authenticated, then the token was stored in HTTP session, so, JSF Partial Request relies on HTTP session.

              santos.zatarainv@gmail.com Santos Zatarain (Inactive)
              santos.zatarainv@gmail.com Santos Zatarain (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: