Bug 1030417
| Summary: | Access secure page with unauthenticated user returns wrong http status when authorization module is used | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [JBoss] JBoss Enterprise Application Platform 6 | Reporter: | Ondrej Lukas <olukas> | ||||
| Component: | Security | Assignee: | Peter Skopek <pskopek> | ||||
| Status: | CLOSED EOL | QA Contact: | Pavel Slavicek <pslavice> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 6.2.0, 6.3.0 | CC: | bdawidow, chaowan | ||||
| Target Milestone: | --- | ||||||
| Target Release: | EAP 6.4.0 | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2019-08-19 12:49:21 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Created attachment 823909 [details]
reproducer
Updating status. The issue still exists in 6.3.0.ER10. As the AllDenyAuthorizationModule is present, the request is not repeated, should not it just return the 403 code? |
Access secure page with unauthenticated user returns http status 403 instead of 401. Steps to reproduce: 1. add this security domain to standalone.xml: <security-domain name="deny-all"> <authentication> <login-module code="UsersRoles" flag="required"/> </authentication> <authorization> <policy-module code="org.jboss.security.authorization.modules.AllDenyAuthorizationModule" flag="required"/> </authorization> </security-domain> 2. run standalone server and deploy attached Reproducer.war 3. open browser and visit page http://wronguser:wrongpassword@localhost:8080/Reproducer/secure.html It returns HTTP Status 403 instead of 401. (4. You can try to visit http://admin:admin@localhost:8080/Reproducer/secure.html It returns 403 right, because admin/admin is correct authenticated user)