Details
-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
None
-
None
Description
The evaluateRequest method from basicauthenticationmechanism should return FORBIDDEN when authorization handler returns false.
In the wildfly/testsuite/integration/elytron/BasicAuthnTestCase the FORBIDDEN response is thanks to the following class: https://github.com/undertow-io/undertow/blob/master/servlet/src/main/java/io/undertow/servlet/handlers/security/ServletSecurityRoleHandler.java#L58
In our quickstarts that use RESTEasy the response FORBIDDEN is being configured here: https://github.com/resteasy/resteasy/blob/main/resteasy-core/src/main/java/org/jboss/resteasy/plugins/interceptors/RoleBasedSecurityFilter.java#L46
We do not currently have a test case that tests a response when the authorization handler is returning false.
In basic authentication mechanism when the authorization fails we are returning the UNAUTHORIZED rather than FORBIDDEN.
This issue is to fix theis behavior and add a test that tests for response when the AuthorizeCallback#isAuthorized is set to false.
