Undertow attempts authentication and gives 401 response for unsecured pages in EAP 7

Solution Verified - Updated -

Issue

  • Undertow attempt authentication for unsecured pages when request header has Authorization: Basic "anystring".
  • Requests including a bad Authorization header are given a 401 response even if the request is not for any content matching the application's security-constraint. If the Authorization header is removed, the request is allowed.

Environment

  • Red Hat JBoss Enterprise Application Platform
    • 7
  • Application web.xml
    • multiple authentication mechanisms, protected (/secure/) and unprotected (/public/)
    • auth-method BASIC

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.