Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-7563

Elytron auth method misconfiguration not handled

XMLWordPrintable

    • Hide
      1. ./standalone.sh -c standalone-elytron.xml
      2. /subsystem=undertow/application-security-domain=other:add(http-authentication-factory=application-http-authentication)
      3. deploy secured-webapp.war
      4. access localhost:8080/secured-webapp/index.jsp
      5. I expect browser dialog box appear to allow user provide credentials (401 http status code)
      6. But 403 http code is returned and Forbidden is shown in browser
      Show
      ./standalone.sh - c standalone-elytron.xml /subsystem=undertow/application-security-domain=other:add(http-authentication-factory=application-http-authentication) deploy secured-webapp.war access localhost:8080/secured-webapp/index.jsp I expect browser dialog box appear to allow user provide credentials (401 http status code) But 403 http code is returned and Forbidden is shown in browser

      When deployment is configured to be secured with DIGEST, but http-authentication-factory does not list DIGEST mechanism, user is not informed about misconfiguration. Even when TRACE logging is turned on. When user tries to access app 403 http code is returned and Forbidden is shown in browser. I would expect browser dialog to appear to allow user provide credentials (401 http status code).

      web.xml
        <login-config>
            <auth-method>DIGEST</auth-method>
            <realm-name>ApplicaitonRealm</realm-name>
        </login-config>
      
      standalone-elytron.xml
      <http-authentication-factory name="application-http-authentication" http-server-mechanism-factory="global" security-domain="ApplicationDomain">
          <mechanism-configuration>
              <mechanism mechanism-name="BASIC">
                  <mechanism-realm realm-name="Application Realm"/>
              </mechanism>
              <mechanism mechanism-name="FORM"/>
          </mechanism-configuration>
      </http-authentication-factory>
      

      This applies globally to all authentication mechanisms, not only DIGEST.

      Could elytron handle misconfiguration:

      • either fail during deploying application as deployment requirement can't be satisfy
      • or provide reasonable elytron defaults of missing mechanism configuration.

              jkalina@redhat.com Jan Kalina (Inactive)
              mchoma@redhat.com Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: