Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-20948

JWT Cookie: wrong HTTP code with wrong cookie name

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Minor
    • Resolution: Duplicate
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: MP JWT
    • Labels:
      None
    • Target Release:
    • Steps to Reproduce:
      Hide

      The issue can be reproduced running test JwsCookieTokenTestCase with the following command:

      mvn test -Dtest=JwsCookieTokenTestCase -Denforcer.skip=true -Djboss.dist=${JBOSS_HOME}
      

      Where point to a distribution built from wildfly branch MP4

      Show
      The issue can be reproduced running test JwsCookieTokenTestCase with the following command: mvn test -Dtest=JwsCookieTokenTestCase -Denforcer.skip=true -Djboss.dist=${JBOSS_HOME} Where point to a distribution built from wildfly branch MP4

      Description

      MP JWT 1.2 introduces the option of sending the JWT as cookie;

      When the application's microprofile-config.properties is configured as follows:

      mp.jwt.token.header=Cookie
      mp.jwt.token.cookie=jws-correct-cookie
      

      And the request sends the JWT in a cookie named jws-wrong-cookie, we'd expect a 401 HTTP code, since authentication cannot happen;

      Instead, the HTTP return code is 403 which means the request was authenticated but not authorized;

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            tommaso-borgato Tommaso Borgato
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: