Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-15265

[GSS](7.1.z) ELY-1510 - Bearer authentication sends 401 to unprotected resources when no auth in progress

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • 7.1.5.CR1, 7.1.5.GA
    • 7.1.3.GA, 7.1.4.CR1
    • Security
    • None

    Description

      If you try to access unprotected resource with no Authorization header, BearerTokenAuthenticationMechanism sees it as a failed authentication so 401 is sent.

      https://github.com/wildfly/quickstart/tree/master/jaxrs-jwt fails with "401 Unauthorized":

       client]$ mvn compile exec:java
...(snip)...
[INFO] --- maven-compiler-plugin:3.7.0:compile (default-compile) @ jaxrs-jwt-client ---
[INFO] Nothing to compile - all classes are up to date
[INFO] 
[INFO] --- maven-checkstyle-plugin:3.0.0:checkstyle (check-style) @ jaxrs-jwt-client ---
[INFO] Starting audit...
Audit done.
[INFO] 
[INFO] --- exec-maven-plugin:1.6.0:java (default-cli) @ jaxrs-jwt-client ---
------------------------------
Testing admin 
------------------------------
Obtaining JWT...
[WARNING] 
javax.ws.rs.NotAuthorizedException: HTTP 401 Unauthorized
    at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.handleErrorStatus (ClientInvocation.java:219)
    at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.extractResult (ClientInvocation.java:193)
    at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke (ClientInvocation.java:457)
    at org.jboss.resteasy.client.jaxrs.internal.ClientInvocationBuilder.post (ClientInvocationBuilder.java:211)
    at org.jboss.quickstarts.jaxrsjwt.client.JwtRestClient.test (JwtRestClient.java:70)
    at org.jboss.quickstarts.jaxrsjwt.client.JwtRestClient.main (JwtRestClient.java:50)
    at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:498)
    at org.codehaus.mojo.exec.ExecJavaMojo$1.run (ExecJavaMojo.java:282)
    at java.lang.Thread.run (Thread.java:748)
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------

      ELY-1510 is already fixed in the upstream (Elytrong 1.2.1.Final or later). I confirmed this issue does not happen with WildFly 13 and JBoss EAP 7.2.0.Beta.

      Also, I backported the upstream patch to EAP 7.1.4 Elytron 1.1.10.Final with slight modification (need to change httpBearer.debugf(...) to log.debugf(...)), then I confirmed this issue is resolved with the patch. Please backport the patch to EAP 7.1.

      Attachments

        Issue Links

          is incorporated by

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. JBEAP-14939 (7.1.z) Upgrade Elytron from 1.1.10.Final to 1.1.11.Final

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is related to

          Bug - A problem that impairs or prevents the functions of the product. ELY-1510 Bearer authentication sends 401 to unprotected resources when no auth in progress

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved
          relates to

          Bug - A problem that impairs or prevents the functions of the product. WFLY-10884 Quickstart jaxrs-jwt should use the "jboss.server.config.dir" system property for the file path to jwt.keystore

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              rhn-support-ivassile Ilia Vassilev
              rhn-support-mmiura Masafumi Miura
              Peter Mackay Peter Mackay
              Peter Mackay Peter Mackay
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: