Basic authentication is enabled by default if a request has Authorization request header
Issue
- Basic autnentication is enabled by default if a request has
Authorizationrequest header. Our application does not have<login-config>in web.xml hence enabling Basic authentication is not expected. How do we disable Basic autnentication? - We do not intend to enable Basic authentication, but the application returns
401 Unauthrorized. - This issue only happens if we use elytron instead of regacy security. standalone.xml is changed by
jboss-eap-7.4/docs/examples/enable-elytron-se17.clito run JBoss EAP 7.4 with OpenJDK17. The undertow subsystem settings are as the following:
<subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" ssl-context="applicationSSC" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<http-invoker http-authentication-factory="application-http-authentication"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
<application-security-domains>
<application-security-domain name="other" security-domain="ApplicationDomain"/>
</application-security-domains>
</subsystem>
- Application authentication setting is overridden by Elytron even though attribute
override-deployment-config=falseis in<application-security-domain>tag.
Environment
- Red Hat JBoss Enterprise Application Platform (EAP)
- 7.4.7
- 7.4.8
- Elytron
- OpenJDK17
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.