Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 7.4.4.CR1, 7.4.4.GA
Affects Version/s: 7.4.2.GA
Component/s: Security, Undertow
Labels:
- test_included

Blocked:
False
Ready:
False
CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
QE Test Coverage:
+
Target Release:

7.4.z.GA
Git Pull Request:
https://github.com/wildfly-security/wildfly-elytron/pull/1669
Steps to Reproduce:

Hide

Use servlet-security quickstart application and execute the two curl commands:

curl -k -v -H "Authorization: Basic cXVpY2tzdGFydFVzZXI6cXVpY2tzdGFydFB3ZDEh" http://localhost:8080/servlet-security/SecuredServlet

curl -k -v -H "Authorization: BASIC cXVpY2tzdGFydFVzZXI6cXVpY2tzdGFydFB3ZDEh" http://localhost:8080/servlet-security/SecuredServlet

Show
Use servlet-security quickstart application and execute the two curl commands: curl -k -v -H "Authorization: Basic cXVpY2tzdGFydFVzZXI6cXVpY2tzdGFydFB3ZDEh" http://localhost:8080/servlet-security/SecuredServlet curl -k -v -H "Authorization: BASIC cXVpY2tzdGFydFVzZXI6cXVpY2tzdGFydFB3ZDEh" http://localhost:8080/servlet-security/SecuredServlet
Market:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

As per RFC 7617 [1], the Basic authentication scheme should be case insensitive. However when testing with elytron, the basic authentication headers are case sensitive:

 curl -k -v -H "Authorization: BASIC cXVpY2tzdGFydFVzZXI6cXVpY2tzdGFydFB3ZDEh" http://localhost:8080/servlet-security/SecuredServlet
*   Trying ::1:8080...
* connect to ::1 port 8080 failed: Connection refused
*   Trying 127.0.0.1:8080...
* Connected to localhost (127.0.0.1) port 8080 (#0)
> GET /servlet-security/SecuredServlet HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.76.1
> Accept: */*
> Authorization: BASIC cXVpY2tzdGFydFVzZXI6cXVpY2tzdGFydFB3ZDEh
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< Expires: 0
< Connection: keep-alive
< WWW-Authenticate: Basic realm="RealmUsersRoles"
< Cache-Control: no-cache, no-store, must-revalidate
< Pragma: no-cache
< Content-Type: text/html;charset=UTF-8
< Content-Length: 71
< Date: Thu, 20 Jan 2022 22:52:12 GMT
< 
* Connection #0 to host localhost left intact
<html><head><title>Error</title></head><body>Unauthorized</body></html>

 curl -k -v -H "Authorization: Basic cXVpY2tzdGFydFVzZXI6cXVpY2tzdGFydFB3ZDEh" http://localhost:8080/servlet-security/SecuredServlet
*   Trying ::1:8080...
* connect to ::1 port 8080 failed: Connection refused
*   Trying 127.0.0.1:8080...
* Connected to localhost (127.0.0.1) port 8080 (#0)
> GET /servlet-security/SecuredServlet HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.76.1
> Accept: */*
> Authorization: Basic cXVpY2tzdGFydFVzZXI6cXVpY2tzdGFydFB3ZDEh
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Expires: 0
< Connection: keep-alive
< Cache-Control: no-cache, no-store, must-revalidate
< Pragma: no-cache
< Content-Length: 230
< Date: Thu, 20 Jan 2022 22:52:33 GMT
< 
<html><head><title>servlet-security</title></head><body>
<h1>Successfully called Secured Servlet </h1>
<p>Principal  : quickstartUser</p>
<p>Remote User : quickstartUser</p>
<p>Authentication Type : BASIC</p>
</body></html>

[1] https://datatracker.ietf.org/doc/html/rfc7617#section-2

is incorporated by

JBEAP-22973 (7.4.z) Upgrade Elytron from 1.15.9.Final-redhat-00001 to 1.15.11.Final-redhat-00002

Closed

relates to

ELY-2298 Verify compatibility with RFC2617 Digest Access Authentication

Resolved

ELY-303 Verify compatibility with RFC7617 "The 'Basic' HTTP Authentication Scheme"

Resolved

Assignee:: Ricardo Martin Camarero

Reporter:: Maria Vassileva

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Created:: 2022/01/25 7:43 PM

Updated:: 2024/08/19 2:17 PM

Resolved:: 2022/02/02 5:06 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates