Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-2487

Misplaced call to isAutodetectedBearerOnly() in class RequestAuthenticator

    XMLWordPrintable

Details

    • Hide

      1) Setup a simple JSF project with a BUTTON with AJAX.

      2) Change "autodetect-bearer-only" in "WEB-INF/oidc.json" to "false".

      3) The button will work (POST: Response with HTTP code 200).

      4) Change "autodetect-bearer-only" in "WEB-INF/oidc.json" to "true".

      5) The button will not work (POST: Response with HTTP code 401).

      Show
      1) Setup a simple JSF project with a BUTTON with AJAX. 2) Change "autodetect-bearer-only" in "WEB-INF/oidc.json" to "false". 3) The button will work (POST: Response with HTTP code 200). 4) Change "autodetect-bearer-only" in "WEB-INF/oidc.json" to "true". 5) The button will not work (POST: Response with HTTP code 401).

    Description

      Method isAutodetectedBearerOnly() should be invoked after checking cached token.

      Invoking isAutodetectedBearerOnly() early will break every AJAX request that relies on HTTP session. A clear example is JSF Partial Request, it will never send the header "Authorization" neither the query parameter "auth" by design, it relies in HTTP session. During the initial load of view the user was authenticated, then the token was stored in HTTP session, so, JSF Partial Request relies on HTTP session.

      Attachments

        Activity

          People

            santos.zatarainv@gmail.com Santos Zatarain (Inactive)
            santos.zatarainv@gmail.com Santos Zatarain (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: