Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-20948

JWT Cookie: wrong HTTP code with wrong cookie name

    XMLWordPrintable

Details

    • Bug
    • Resolution: Duplicate
    • Minor
    • None
    • None
    • MP JWT
    • None
    • False
    • False
    • Undefined
    • Hide

      The issue can be reproduced running test JwsCookieTokenTestCase with the following command:

      mvn test -Dtest=JwsCookieTokenTestCase -Denforcer.skip=true -Djboss.dist=${JBOSS_HOME}

      Where point to a distribution built from wildfly branch MP4

      Show
      The issue can be reproduced running test JwsCookieTokenTestCase with the following command: mvn test -Dtest=JwsCookieTokenTestCase -Denforcer.skip=true -Djboss.dist=${JBOSS_HOME} Where point to a distribution built from wildfly branch MP4

    Description

      MP JWT 1.2 introduces the option of sending the JWT as cookie;

      When the application's microprofile-config.properties is configured as follows:

      mp.jwt.token.header=Cookie
mp.jwt.token.cookie=jws-correct-cookie

      And the request sends the JWT in a cookie named jws-wrong-cookie, we'd expect a 401 HTTP code, since authentication cannot happen;

      Instead, the HTTP return code is 403 which means the request was authenticated but not authorized;

      Attachments

        Activity

          People

            Unassigned Unassigned
            tborgato@redhat.com Tommaso Borgato
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: