JBoss EAP unexpectedly calls CLIENT_CERT authentication mechanism to request client cert and potentially produce 401 response

Solution Verified - Updated -

Issue

  • We enabled an elytron security-domain with undertow. Now we see CLIENT_CERT authentication mechanisms (along with BASIC, DIGEST, and FORM) are being unexpectedly called in requests for unprotected resources as our app has no <login-config>. The CLIENT_CERT mechanism even produces a renegotiation attempt to request a client cert on HTTP/1.1, potentially resulting in a 401 response if the client responds with a cert

Environment

  • JBoss Enterprise Application Platform (EAP) 7.4.7 and earlier
    • Elytron

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content