Description of problem: If a custom JASPI auth module throws an exception, Wildfly/Undertow (the JASPI authenticator) ignores it and returns a 200. The web page that was requested does not get displayed. A blank page and a HTTP 200 are returned. Should a 40x or a 500 be returned instead? Or is it the responsibility of the custom JASPI auth module to set the status correctly? It seems like the container would need to be careful and not overwrite a status code that the JASPI module had explicitly set. Steps to Reproduce: 1. Build a custom JASPI module that throws an exception 2. Configure a security domain to use JASPI <security-domain name="jmx-console" cache-type="default"> <authentication-jaspi> <login-module-stack name="lm-stack"> <login-module code="UsersRoles" flag="required"> <module-option name="usersProperties" value="file:///${jboss.server.config.dir}/users.properties"/> <module-option name="rolesProperties" value="file:///${jboss.server.config.dir}/roles.properties"/> </login-module> </login-module-stack> <auth-module code="org.jboss.example.CustomJaspiAuthModule" flag="required" login-module-stack-ref="lm-stack" module="org.jboss.example"/> </authentication-jaspi> </security-domain> 3. Configure the application to use the JASPI valve <jboss-web> <security-domain>jaspi-test</security-domain> <valve> <class-name>org.jboss.as.web.security.jaspi.WebJASPIAuthenticator</class-name> </valve> </jboss-web> 4. Hit the web application and look at the HTTP status that is returned
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions
Verified with EAP 6.4.8.CP.CR2
Retroactively bulk-closing issues from released EAP 6.4 cumulative patches.