Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-518

The server requires JASPI authentication even if no security-constraint is defined

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • 7.0.0.DR9
    • 7.0.0.DR6
    • Security, Undertow
    • None
    • Hide

      Attached reproducer contains a simple index.html page, BASIC authentication method configured in web.xml and security domain "web-tests" is referenced from jboss-web.xml.

      Steps:
      1. Store attached reproducer to /tmp/secured-webapp.war
      2. Run:

      # start server
bin/standalone.sh &

# configure security domain with JASPI authentication
bin/jboss-cli.sh -c << EOT
batch
/subsystem=security/security-domain=web-tests:add
/subsystem=security/security-domain=web-tests/authentication=jaspi:add
/subsystem=security/security-domain=web-tests/authentication=jaspi/login-module-stack=lmStack:add
/subsystem=security/security-domain=web-tests/authentication=jaspi/login-module-stack=lmStack/login-module=SimpleUsers:add(code=SimpleUsers,flag=required, module-options=[("user"=>"user")])
/subsystem=security/security-domain=web-tests/authentication=jaspi/auth-module=org.wildfly.extension.undertow.security.jaspi.modules.HTTPSchemeServerAuthModule:add(code=org.wildfly.extension.undertow.security.jaspi.modules.HTTPSchemeServerAuthModule, flag=required, module=org.wildfly.extension.undertow, login-module-stack-ref=lmStack)
run-batch
reload
EOT

# deploy the reproducer
bin/jboss-cli.sh -c "deploy /tmp/secured-webapp.war"

# make GET request to deployed app
curl -i http://localhost:8080/secured-webapp/

      Actual response:

      HTTP/1.1 401 Unauthorized
Connection: keep-alive
WWW-Authenticate: Basic realm="Secured"
X-Powered-By: Undertow/1
Server: WildFly/10
Content-Type: text/html;charset=UTF-8
Content-Length: 71
Date: Tue, 28 Jul 2015 11:16:56 GMT

<html><head><title>Error</title></head><body>Unauthorized</body></html>

      Expected response:

      HTTP/1.1 200 OK
Connection: keep-alive
Last-Modified: Tue, 28 Jul 2015 11:14:12 GMT
X-Powered-By: Undertow/1
Server: WildFly/10
Content-Type: text/html
Content-Length: 202
Date: Tue, 28 Jul 2015 11:42:20 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
	<title>Sample web application</title>
</head>
<body>
  Hello World!
</body>
</html>
      Show
      Attached reproducer contains a simple index.html page, BASIC authentication method configured in web.xml and security domain "web-tests" is referenced from jboss-web.xml . Steps: 1. Store attached reproducer to /tmp/secured-webapp.war 2. Run: # start server bin/standalone.sh & # configure security domain with JASPI authentication bin/jboss-cli.sh -c << EOT batch /subsystem=security/security-domain=web-tests:add /subsystem=security/security-domain=web-tests/authentication=jaspi:add /subsystem=security/security-domain=web-tests/authentication=jaspi/login-module-stack=lmStack:add /subsystem=security/security-domain=web-tests/authentication=jaspi/login-module-stack=lmStack/login-module=SimpleUsers:add(code=SimpleUsers,flag=required, module-options=[( "user" => "user" )]) /subsystem=security/security-domain=web-tests/authentication=jaspi/auth-module=org.wildfly.extension.undertow.security.jaspi.modules.HTTPSchemeServerAuthModule:add(code=org.wildfly.extension.undertow.security.jaspi.modules.HTTPSchemeServerAuthModule, flag=required, module=org.wildfly.extension.undertow, login-module-stack-ref=lmStack) run-batch reload EOT # deploy the reproducer bin/jboss-cli.sh -c "deploy /tmp/secured-webapp.war" # make GET request to deployed app curl -i http: //localhost:8080/secured-webapp/ Actual response: HTTP/1.1 401 Unauthorized Connection: keep-alive WWW-Authenticate: Basic realm= "Secured" X-Powered-By: Undertow/1 Server: WildFly/10 Content-Type: text/html;charset=UTF-8 Content-Length: 71 Date: Tue, 28 Jul 2015 11:16:56 GMT <html><head><title>Error</title></head><body>Unauthorized</body></html> Expected response: HTTP/1.1 200 OK Connection: keep-alive Last-Modified: Tue, 28 Jul 2015 11:14:12 GMT X-Powered-By: Undertow/1 Server: WildFly/10 Content-Type: text/html Content-Length: 202 Date: Tue, 28 Jul 2015 11:42:20 GMT <!DOCTYPE html PUBLIC "- //W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd" > <html> <head> <title>Sample web application</title> </head> <body> Hello World! </body> </html>

      If JASPI authentication is configured in security domain, then the server requires authentication even if no security-constraint is defined for web application which uses the security domain.

      With the classic authentication is the behavior correct. Also the EAP 6.x with jaspi works correctly.

        1. secured-webapp.war
          0.9 kB

            sdouglas1@redhat.com Stuart Douglas
            josef.cacek@gmail.com Josef Cacek (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: