Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-15168

[GSS](7.1.z) [EAP] constraint drive authentication method in undertow doesn't work with elytron

    Details

    • Target Release:
    • Steps to Reproduce:
      Hide

      1) Enable Elytron in EAP with "bin/jboss-cli.sh --file=docs/examples/enable-elytron.cli"
      2) Setup constraint drive authentication:
      bin/jboss-cli.sh --connect "/subsystem=undertow/servlet-container=default:write-attribute(name=proactive-authentication, value=false)"
      3) Deploy any test application without any authentication constraints. I used "helloworld" quickstart, but any unsecured resource will work
      4) Try to access the URL with basic auth:
      curl -u foo:bar http://localhost:8080/jboss-helloworld/ -v
      Note the user here is invalid.

      This will give a 401 HTTP response. However, with constraint driven authentication this should give the page.

      Show
      1) Enable Elytron in EAP with "bin/jboss-cli.sh --file=docs/examples/enable-elytron.cli" 2) Setup constraint drive authentication: bin/jboss-cli.sh --connect "/subsystem=undertow/servlet-container=default:write-attribute(name=proactive-authentication, value=false)" 3) Deploy any test application without any authentication constraints. I used "helloworld" quickstart, but any unsecured resource will work 4) Try to access the URL with basic auth: curl -u foo:bar http://localhost:8080/jboss-helloworld/ -v Note the user here is invalid. This will give a 401 HTTP response. However, with constraint driven authentication this should give the page.
    • Workaround Description:
      Hide

      Don't use Elytron.

      Show
      Don't use Elytron.

      Description

      Integration code for JBEAP-15054


      When elytron is enabled constraint driven authentication method (i.e. proactive-authentication=false) has no effect.

      If you try to request an unsecured page sending in an invalid user with basic authentication, you should get the page returned with constraint drive authentication and a 401 with proactive authentication. This is what happens without Elytron enabled. But if you enable Elytron it gives a 401 in both cases.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  spyrkob Bartosz Spyrko-Smietanko
                  Reporter:
                  spyrkob Bartosz Spyrko-Smietanko
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  5 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: