Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-15168

[GSS](7.1.z) [EAP] constraint drive authentication method in undertow doesn't work with elytron

XMLWordPrintable

    • +
    • Hide

      Don't use Elytron.

      Show
      Don't use Elytron.
    • Hide

      1) Enable Elytron in EAP with "bin/jboss-cli.sh --file=docs/examples/enable-elytron.cli"
      2) Setup constraint drive authentication:
      bin/jboss-cli.sh --connect "/subsystem=undertow/servlet-container=default:write-attribute(name=proactive-authentication, value=false)"
      3) Deploy any test application without any authentication constraints. I used "helloworld" quickstart, but any unsecured resource will work
      4) Try to access the URL with basic auth:
      curl -u foo:bar http://localhost:8080/jboss-helloworld/ -v
      Note the user here is invalid.

      This will give a 401 HTTP response. However, with constraint driven authentication this should give the page.

      Show
      1) Enable Elytron in EAP with "bin/jboss-cli.sh --file=docs/examples/enable-elytron.cli" 2) Setup constraint drive authentication: bin/jboss-cli.sh --connect "/subsystem=undertow/servlet-container=default:write-attribute(name=proactive-authentication, value=false)" 3) Deploy any test application without any authentication constraints. I used "helloworld" quickstart, but any unsecured resource will work 4) Try to access the URL with basic auth: curl -u foo:bar http://localhost:8080/jboss-helloworld/ -v Note the user here is invalid. This will give a 401 HTTP response. However, with constraint driven authentication this should give the page.

      Integration code for JBEAP-15054


      When elytron is enabled constraint driven authentication method (i.e. proactive-authentication=false) has no effect.

      If you try to request an unsecured page sending in an invalid user with basic authentication, you should get the page returned with constraint drive authentication and a 401 with proactive authentication. This is what happens without Elytron enabled. But if you enable Elytron it gives a 401 in both cases.

              spyrkob Bartosz Spyrko-Smietanko
              spyrkob Bartosz Spyrko-Smietanko
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: