Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-20179

400 (Bad request) is returned instead of 401 (Unauthorized) when wrong login is used in PATCH request

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Cannot Reproduce
    • Icon: Major Major
    • None
    • 26.1.2.Final, 34.0.0.Final
    • REST, Security
    • User Experience
    • ---
    • ---

      We have a war application protected with elytron-oidc-client, connected to Keycloak v20 in Wildlfy v26 or v34 

      Security is enabled in web.xml as 
      <      security-constraint>

      <web-resource-collection>

      <web-resource-name>RS</web-resource-name>

      <url-pattern>/api/rest/*</url-pattern>

      </web-resource-collection>

      <auth-constraint>

      <role-name>*</role-name>

      </auth-constraint>

      </security-constraint>

      <security-role>

      <role-name>*</role-name>

      </security-role>

      I try to access application (can try even with non-existent, but on protected path, URL) with GET, POST, PUT, DELETE, PATCH and HEAD methods and provide invalid username or expired token.

      All but PATCH methods would return 401 - Unauthorized but PATCH would return 400 - Bad request error.

       

      Expected that PATCH would also return 401 error.

        1. image-2025-03-06-20-37-18-257.png
          image-2025-03-06-20-37-18-257.png
          261 kB

              rh-ee-mskaceli Marek Skacelik
              andrius.karpavicius Andrius Karpavicius (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: