Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-937

ServletAuthenticationCallHandler.handleRequest returns empty OK response for authorization failure

    XMLWordPrintable

Details

    • Bug
    • Resolution: Won't Do
    • Major
    • None
    • 1.4.0.Final, 1.4.7.Final
    • Security, Servlet
    • None
    • Hide

      1. Clone my modified JavaEE 7 samples repo from https://github.com/stoty/javaee7-samples.git
      2. Switch to the jaspic-auth-statuscode branch
      3. Run the tests in jaspic/basic-authentication/ directory with 

      mvn -P wildfly-managed-arquillian test
      Show
      1. Clone my modified JavaEE 7 samples repo from https://github.com/stoty/javaee7-samples.git 2. Switch to the jaspic-auth-statuscode branch 3. Run the tests in jaspic/basic-authentication/ directory with mvn -P wildfly-managed-arquillian test

    Description

      When using JASPIC authentication and setting the principal to non-authenticated from the module for a protected resource, Wildfly/Undertow sends and emtpy 200 response instead of a 403 response.

      The reason for this is that io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest expects that the module sets the error code, but the JASPIC module used does not set it.

      This seems to be similar to UNDERTOW-259.

      Attachments

        Activity

          People

            rhn-cservice-bbaranow Bartosz Baranowski
            stoty2 István Tóth (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: