Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-1727

BasicAuthenticationMechanism isn't RFC2617 compliant

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 2.1.0.Final
    • Fix Version/s: None
    • Component/s: Security
    • Labels:
      None
    • Steps to Reproduce:
      Hide

      Start undertow with LoginConfig BASIC and make a request to a secured resource you will see that a 401 and WWW-Authenticate header are not returned.

      Show
      Start undertow with LoginConfig BASIC and make a request to a secured resource you will see that a 401 and WWW-Authenticate header are not returned.

      Description

      RFC2617 states that if no Authorization header is present then a 401 response should be returned along with WWW-Authenticate header but this is not the case in BasicAuthenticationMechanism.

      Line 131 checks for an Authorization header and if not found AuthenticationMechanismOutcome.NOT_ATTEMPTED is returned which means that sendChallenge is never invoked.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                flavia.rainone Flavia Rainone
                Reporter:
                richantturner Rich Turner
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: