Hawkular component has bogus security rules.
Because we need allow display of the root welcome page, the / url-pattern was set as an unsecured url-pattern. But this implies that requests without credentials are not rejected by the container, and dispatched to application code instead...
If we remove this mapping, the container rejects requests with invalid credentials as expected (401). But requests without credentials are redirected to KC login page (302). And we can no longer display the status page.
Security rules should be the following:
- status page / and status endpoint /status can be queried freely
- requests without credentials should be rejected (401)
- requests with invalid credentials should be rejected (401)