Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-1727

BasicAuthenticationMechanism isn't RFC2617 compliant

    XMLWordPrintable

Details

    • Bug
    • Resolution: Obsolete
    • Major
    • None
    • 2.1.0.Final
    • Security
    • None
    • Hide

      Start undertow with LoginConfig BASIC and make a request to a secured resource you will see that a 401 and WWW-Authenticate header are not returned.

      Show
      Start undertow with LoginConfig BASIC and make a request to a secured resource you will see that a 401 and WWW-Authenticate header are not returned.

    Description

      RFC2617 states that if no Authorization header is present then a 401 response should be returned along with WWW-Authenticate header but this is not the case in BasicAuthenticationMechanism.

      Line 131 checks for an Authorization header and if not found AuthenticationMechanismOutcome.NOT_ATTEMPTED is returned which means that sendChallenge is never invoked.

      Attachments

        Activity

          People

            rhn-cservice-bbaranow Bartosz Baranowski
            richantturner Rich Turner (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: