Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-1727

BasicAuthenticationMechanism isn't RFC2617 compliant

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Obsolete
    • Icon: Major Major
    • None
    • 2.1.0.Final
    • Security
    • None
    • Hide

      Start undertow with LoginConfig BASIC and make a request to a secured resource you will see that a 401 and WWW-Authenticate header are not returned.

      Show
      Start undertow with LoginConfig BASIC and make a request to a secured resource you will see that a 401 and WWW-Authenticate header are not returned.

      RFC2617 states that if no Authorization header is present then a 401 response should be returned along with WWW-Authenticate header but this is not the case in BasicAuthenticationMechanism.

      Line 131 checks for an Authorization header and if not found AuthenticationMechanismOutcome.NOT_ATTEMPTED is returned which means that sendChallenge is never invoked.

              rhn-cservice-bbaranow Bartosz Baranowski
              richantturner Rich Turner (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: