Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-15265

[GSS](7.1.z) ELY-1510 - Bearer authentication sends 401 to unprotected resources when no auth in progress

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 7.1.5.CR1, 7.1.5.GA
    • 7.1.3.GA, 7.1.4.CR1
    • Security
    • None

      If you try to access unprotected resource with no Authorization header, BearerTokenAuthenticationMechanism sees it as a failed authentication so 401 is sent.


      https://github.com/wildfly/quickstart/tree/master/jaxrs-jwt fails with "401 Unauthorized":

       client]$ mvn compile exec:java
      ...(snip)...
      [INFO] --- maven-compiler-plugin:3.7.0:compile (default-compile) @ jaxrs-jwt-client ---
      [INFO] Nothing to compile - all classes are up to date
      [INFO] 
      [INFO] --- maven-checkstyle-plugin:3.0.0:checkstyle (check-style) @ jaxrs-jwt-client ---
      [INFO] Starting audit...
      Audit done.
      [INFO] 
      [INFO] --- exec-maven-plugin:1.6.0:java (default-cli) @ jaxrs-jwt-client ---
      ------------------------------
      Testing admin 
      ------------------------------
      Obtaining JWT...
      [WARNING] 
      javax.ws.rs.NotAuthorizedException: HTTP 401 Unauthorized
          at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.handleErrorStatus (ClientInvocation.java:219)
          at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.extractResult (ClientInvocation.java:193)
          at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke (ClientInvocation.java:457)
          at org.jboss.resteasy.client.jaxrs.internal.ClientInvocationBuilder.post (ClientInvocationBuilder.java:211)
          at org.jboss.quickstarts.jaxrsjwt.client.JwtRestClient.test (JwtRestClient.java:70)
          at org.jboss.quickstarts.jaxrsjwt.client.JwtRestClient.main (JwtRestClient.java:50)
          at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
          at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
          at java.lang.reflect.Method.invoke (Method.java:498)
          at org.codehaus.mojo.exec.ExecJavaMojo$1.run (ExecJavaMojo.java:282)
          at java.lang.Thread.run (Thread.java:748)
      [INFO] ------------------------------------------------------------------------
      [INFO] BUILD FAILURE
      [INFO] ------------------------------------------------------------------------
      

      ELY-1510 is already fixed in the upstream (Elytrong 1.2.1.Final or later). I confirmed this issue does not happen with WildFly 13 and JBoss EAP 7.2.0.Beta.

      Also, I backported the upstream patch to EAP 7.1.4 Elytron 1.1.10.Final with slight modification (need to change httpBearer.debugf(...) to log.debugf(...)), then I confirmed this issue is resolved with the patch. Please backport the patch to EAP 7.1.

              rhn-support-ivassile Ilia Vassilev
              rhn-support-mmiura Masafumi Miura
              Peter Mackay Peter Mackay
              Peter Mackay Peter Mackay
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: