Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-13108

Elytron BEARER_TOKEN HTTP authentication mechanism doesn't send WWW-Authenticate header

    XMLWordPrintable

Details

    • Hide

      The regression tests are within new context propagation tests in AS TS

      git clone -b JBEAP-13108-reproducer-bearer-token-wwwauhtenticate-header https://github.com/kwart/wildfly.git
cd wildfly
mvn clean install -DskipTests -Dcheckstyle.skip -Denforcer.skip
cd testsuite/integration/manualmode
mvn clean test -Dcheckstyle.skip -Denforcer.skip -DtestLogToFile=false -Dtest=SecurityContextPropagationSLSLTestCase#testServletBearerToken\*
      Show
      The regression tests are within new context propagation tests in AS TS git clone -b JBEAP-13108-reproducer-bearer-token-wwwauhtenticate-header https://github.com/kwart/wildfly.git cd wildfly mvn clean install -DskipTests -Dcheckstyle.skip -Denforcer.skip cd testsuite/integration/manualmode mvn clean test -Dcheckstyle.skip -Denforcer.skip -DtestLogToFile=false -Dtest=SecurityContextPropagationSLSLTestCase #testServletBearerToken\*

    Description

      The BEARER_TOKEN authentication mechanism doesn't correctly respond when user accesses a protected URL. It just replies with status 401 (Unauthorized).

      The WWW-Authenticate response header is not used, so the client doesn't know if there is a possibility to authenticate into the application (and which mechanism to use).

      The RFC 6750 in section 3 says:

         If the protected resource request does not include authentication
   credentials or does not contain an access token that enables access
   to the protected resource, the resource server MUST include the HTTP
   "WWW-Authenticate" response header field; it MAY include it in
   response to other conditions as well.  The "WWW-Authenticate" header
   field uses the framework defined by HTTP/1.1 [RFC2617].

      Attachments

        Issue Links

          relates to

          Bug - A problem that impairs or prevents the functions of the product. ELY-1364 Elytron BEARER_TOKEN HTTP authentication mechanism doesn't send WWW-Authenticate header

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Activity

            People

              psilva@redhat.com Pedro Igor Craveiro
              josef.cacek@gmail.com Josef Cacek (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: