Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-13108

Elytron BEARER_TOKEN HTTP authentication mechanism doesn't send WWW-Authenticate header

XMLWordPrintable

    • Hide

      The regression tests are within new context propagation tests in AS TS

      git clone -b JBEAP-13108-reproducer-bearer-token-wwwauhtenticate-header https://github.com/kwart/wildfly.git
cd wildfly
mvn clean install -DskipTests -Dcheckstyle.skip -Denforcer.skip
cd testsuite/integration/manualmode
mvn clean test -Dcheckstyle.skip -Denforcer.skip -DtestLogToFile=false -Dtest=SecurityContextPropagationSLSLTestCase#testServletBearerToken\*
      Show
      The regression tests are within new context propagation tests in AS TS git clone -b JBEAP-13108-reproducer-bearer-token-wwwauhtenticate-header https://github.com/kwart/wildfly.git cd wildfly mvn clean install -DskipTests -Dcheckstyle.skip -Denforcer.skip cd testsuite/integration/manualmode mvn clean test -Dcheckstyle.skip -Denforcer.skip -DtestLogToFile=false -Dtest=SecurityContextPropagationSLSLTestCase #testServletBearerToken\*

      The BEARER_TOKEN authentication mechanism doesn't correctly respond when user accesses a protected URL. It just replies with status 401 (Unauthorized).

      The WWW-Authenticate response header is not used, so the client doesn't know if there is a possibility to authenticate into the application (and which mechanism to use).

      The RFC 6750 in section 3 says:

         If the protected resource request does not include authentication
   credentials or does not contain an access token that enables access
   to the protected resource, the resource server MUST include the HTTP
   "WWW-Authenticate" response header field; it MAY include it in
   response to other conditions as well.  The "WWW-Authenticate" header
   field uses the framework defined by HTTP/1.1 [RFC2617].

              psilva@redhat.com Pedro Igor Craveiro
              josef.cacek@gmail.com Josef Cacek (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: