1030417 – Access secure page with unauthenticated user returns wrong http status when authorization module is used

Bug 1030417 - Access secure page with unauthenticated user returns wrong http status when authorization module is used

Summary: Access secure page with unauthenticated user returns wrong http status when a...

Keywords:
Status:	CLOSED EOL
Alias:	None
Product:	JBoss Enterprise Application Platform 6
Classification:	JBoss
Component:	Security
Sub Component:
Version:	6.2.0,6.3.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	EAP 6.4.0
Assignee:	Peter Skopek
QA Contact:	Pavel Slavicek
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-11-14 11:56 UTC by Ondrej Lukas
Modified:	2019-08-19 12:49 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2019-08-19 12:49:21 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)
reproducer (4.03 KB, application/zip) 2013-11-14 11:57 UTC, Ondrej Lukas	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	920160	0	unspecified	CLOSED	Unauthorized access to a web application protected with a custom authorization module results in HTTP 200 (OK) instead o...	2021-02-22 00:41:40 UTC

Internal Links: 920160

Description Ondrej Lukas 2013-11-14 11:56:38 UTC

Access secure page with unauthenticated user returns http status 403 instead of 401. 

Steps to reproduce:
1. add this security domain to standalone.xml:

<security-domain name="deny-all">
    <authentication>
        <login-module code="UsersRoles" flag="required"/>
    </authentication>
    <authorization>
        <policy-module code="org.jboss.security.authorization.modules.AllDenyAuthorizationModule" flag="required"/>
    </authorization>
</security-domain>

2. run standalone server and deploy attached Reproducer.war

3. open browser and visit page http://wronguser:wrongpassword@localhost:8080/Reproducer/secure.html

It returns HTTP Status 403 instead of 401.

(4. You can try to visit http://admin:admin@localhost:8080/Reproducer/secure.html
It returns 403 right, because admin/admin is correct authenticated user)

Comment 1 Ondrej Lukas 2013-11-14 11:57:38 UTC

Created attachment 823909 [details]
reproducer

Comment 2 Josef Cacek 2014-07-29 12:33:02 UTC

Updating status. The issue still exists in 6.3.0.ER10.

Comment 3 Chao Wang 2014-09-15 09:22:28 UTC

As the AllDenyAuthorizationModule is present, the request is not repeated, should not it just return the 403 code?

Note You need to log in before you can comment on or make changes to this bug.