Details
-
Feature Request
-
Resolution: Done
-
Major
-
8.1.0.Final
-
None
Description
WildFly sends a basic authentication challenge and denies access when it shouldn't in the following simple setup:
<login-config> <auth-method>BASIC</auth-method> <realm-name>test</realm-name> </login-config> <security-constraint> <web-resource-collection> <web-resource-name>all</web-resource-name> <url-pattern>/hello</url-pattern> </web-resource-collection> <auth-constraint> <role-name>USER</role-name> </auth-constraint> </security-constraint> <security-role> <role-name>USER</role-name> </security-role>
/hello is the only protected URL (mapped to a servlet), other URLs like /index.html are public.
When GETting /index.html with an (unneeded) basic authentication header, access is denied:
$ curl -v -u foo:bar http://localhost:8080/auth-basic/index.html * Hostname was NOT found in DNS cache * Trying 127.0.0.1... * Connected to localhost (127.0.0.1) port 8080 (#0) * Server auth using Basic with user 'foo' > GET /auth-basic/index.html HTTP/1.1 > Authorization: Basic Zm9vOmJhcg== > User-Agent: curl/7.35.0 > Host: localhost:8080 > Accept: */* > < HTTP/1.1 401 Unauthorized < Connection: keep-alive * Authentication problem. Ignoring this. < WWW-Authenticate: Basic realm="test" < X-Powered-By: Undertow/1 * Server WildFly/8 is not blacklisted < Server: WildFly/8 < Content-Type: text/html;charset=ISO-8859-1 < Content-Length: 71 < Date: Mon, 07 Jul 2014 17:28:25 GMT < * Connection #0 to host localhost left intact <html><head><title>Error</title></head><body>Unauthorized</body></html>
