Undertow attempts authentication and gives 401 response for unsecured pages in EAP 7
Issue
- Undertow attempt authentication for unsecured pages when request header has
Authorization: Basic "anystring"
. - Requests including a bad Authorization header are given a 401 response even if the request is not for any content matching the application's security-constraint. If the Authorization header is removed, the request is allowed.
Environment
- Red Hat JBoss Enterprise Application Platform
- 7
- Application web.xml
- multiple authentication mechanisms, protected (/secure/) and unprotected (/public/)
- auth-method BASIC
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.