Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-937

ServletAuthenticationCallHandler.handleRequest returns empty OK response for authorization failure

    Details

    • Type: Enhancement
    • Status: Pull Request Sent (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 1.4.0.Final, 1.4.7.Final
    • Fix Version/s: None
    • Component/s: Security, Servlet
    • Labels:
      None
    • Environment:

      Wildfly 10.1 on Fedora 25 or Centos 7.3 x86_64

      Description

      When using JASPIC authentication and setting the principal to non-authenticated from the module for a protected resource, Wildfly/Undertow sends and emtpy 200 response instead of a 403 response.

      The reason for this is that io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest expects that the module sets the error code, but the JASPIC module used does not set it.

      This seems to be similar to UNDERTOW-259.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                swd847 Stuart Douglas
                Reporter:
                stoty2 István Tóth
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: