Bug 1030417 - Access secure page with unauthenticated user returns wrong http status when authorization module is used
Summary: Access secure page with unauthenticated user returns wrong http status when a...
Keywords:
Status: CLOSED EOL
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security
Version: 6.2.0,6.3.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: EAP 6.4.0
Assignee: Peter Skopek
QA Contact: Pavel Slavicek
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-11-14 11:56 UTC by Ondrej Lukas
Modified: 2019-08-19 12:49 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2019-08-19 12:49:21 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
reproducer (4.03 KB, application/zip)
2013-11-14 11:57 UTC, Ondrej Lukas
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 920160 0 unspecified CLOSED Unauthorized access to a web application protected with a custom authorization module results in HTTP 200 (OK) instead o... 2021-02-22 00:41:40 UTC

Internal Links: 920160

Description Ondrej Lukas 2013-11-14 11:56:38 UTC
Access secure page with unauthenticated user returns http status 403 instead of 401. 

Steps to reproduce:
1. add this security domain to standalone.xml:

<security-domain name="deny-all">
    <authentication>
        <login-module code="UsersRoles" flag="required"/>
    </authentication>
    <authorization>
        <policy-module code="org.jboss.security.authorization.modules.AllDenyAuthorizationModule" flag="required"/>
    </authorization>
</security-domain>

2. run standalone server and deploy attached Reproducer.war

3. open browser and visit page http://wronguser:wrongpassword@localhost:8080/Reproducer/secure.html

It returns HTTP Status 403 instead of 401.

(4. You can try to visit http://admin:admin@localhost:8080/Reproducer/secure.html
It returns 403 right, because admin/admin is correct authenticated user)

Comment 1 Ondrej Lukas 2013-11-14 11:57:38 UTC
Created attachment 823909 [details]
reproducer

Comment 2 Josef Cacek 2014-07-29 12:33:02 UTC
Updating status. The issue still exists in 6.3.0.ER10.

Comment 3 Chao Wang 2014-09-15 09:22:28 UTC
As the AllDenyAuthorizationModule is present, the request is not repeated, should not it just return the 403 code?


Note You need to log in before you can comment on or make changes to this bug.