Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-20948

JWT Cookie: wrong HTTP code with wrong cookie name

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Minor Minor
    • None
    • None
    • MP JWT
    • None
    • False
    • False
    • Undefined
    • Hide

      The issue can be reproduced running test JwsCookieTokenTestCase with the following command:

      mvn test -Dtest=JwsCookieTokenTestCase -Denforcer.skip=true -Djboss.dist=${JBOSS_HOME}

      Where point to a distribution built from wildfly branch MP4

      Show
      The issue can be reproduced running test JwsCookieTokenTestCase with the following command: mvn test -Dtest=JwsCookieTokenTestCase -Denforcer.skip=true -Djboss.dist=${JBOSS_HOME} Where point to a distribution built from wildfly branch MP4

      MP JWT 1.2 introduces the option of sending the JWT as cookie;

      When the application's microprofile-config.properties is configured as follows:

      mp.jwt.token.header=Cookie
mp.jwt.token.cookie=jws-correct-cookie

      And the request sends the JWT in a cookie named jws-wrong-cookie, we'd expect a 401 HTTP code, since authentication cannot happen;

      Instead, the HTTP return code is 403 which means the request was authenticated but not authorized;

              Unassigned Unassigned
              tborgato@redhat.com Tommaso Borgato
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: