Bug 1030417 - Access secure page with unauthenticated user returns wrong http status when authorization module is used
Access secure page with unauthenticated user returns wrong http status when a...
Status: ASSIGNED
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security (Show other bugs)
6.2.0,6.3.0
Unspecified Unspecified
unspecified Severity medium
: ---
: EAP 6.4.0
Assigned To: Peter Skopek
Josef Cacek
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-11-14 06:56 EST by Ondrej Lukas
Modified: 2017-10-09 20:23 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
reproducer (4.03 KB, application/zip)
2013-11-14 06:57 EST, Ondrej Lukas
no flags Details

  None (edit)
Description Ondrej Lukas 2013-11-14 06:56:38 EST
Access secure page with unauthenticated user returns http status 403 instead of 401. 

Steps to reproduce:
1. add this security domain to standalone.xml:

<security-domain name="deny-all">
    <authentication>
        <login-module code="UsersRoles" flag="required"/>
    </authentication>
    <authorization>
        <policy-module code="org.jboss.security.authorization.modules.AllDenyAuthorizationModule" flag="required"/>
    </authorization>
</security-domain>

2. run standalone server and deploy attached Reproducer.war

3. open browser and visit page http://wronguser:wrongpassword@localhost:8080/Reproducer/secure.html

It returns HTTP Status 403 instead of 401.

(4. You can try to visit http://admin:admin@localhost:8080/Reproducer/secure.html
It returns 403 right, because admin/admin is correct authenticated user)
Comment 1 Ondrej Lukas 2013-11-14 06:57:38 EST
Created attachment 823909 [details]
reproducer
Comment 2 Josef Cacek 2014-07-29 08:33:02 EDT
Updating status. The issue still exists in 6.3.0.ER10.
Comment 3 Chao Wang 2014-09-15 05:22:28 EDT
As the AllDenyAuthorizationModule is present, the request is not repeated, should not it just return the 403 code?

Note You need to log in before you can comment on or make changes to this bug.