Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ELY-1466] Http Basic auth - silent mode #1218

Merged
merged 1 commit into from
Jan 15, 2019
Merged

[ELY-1466] Http Basic auth - silent mode #1218

merged 1 commit into from
Jan 15, 2019

Conversation

Skyllarr
Copy link
Contributor

@Skyllarr Skyllarr commented Jan 2, 2019

@wildfly-ci
Copy link

Can one of the admins verify this patch?

@fjuma
Copy link
Contributor

fjuma commented Jan 2, 2019

Haven't reviewed the rest of this PR fully yet but one thing to note is that the commit message and PR title should reference the ELY issue instead of the WFLY issue.

mchoma
mchoma reviewed Jan 3, 2019
View reviewed changes
src/main/java/org/wildfly/security/http/impl/BasicAuthenticationMechanism.java
//if silent we only send a challenge if the request contained auth headers
//otherwise we assume another method will send the challenge
String authHeader = request.getFirstRequestHeaderValue(AUTHORIZATION);
if(authHeader == null) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't be checked here that Authorization header is of Basic mechanism? Can it happen this mechanism can see Digest mechanism header?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think if there is Digest mechanism header, it might have successful credentials and so it is better to not send challenge in this case also.

@Skyllarr Skyllarr changed the title [WFLY-11479] Http Basic auth silent mode [ELY-1466] Http Basic auth - silent mode Jan 3, 2019
fjuma
fjuma reviewed Jan 11, 2019
View reviewed changes
src/main/java/org/wildfly/security/http/impl/ServerMechanismFactoryImpl.java Outdated
@@ -107,7 +108,7 @@ public HttpServerAuthenticationMechanism createAuthenticationMechanism(String me

switch (mechanismName) {
case BASIC_NAME:
return new BasicAuthenticationMechanism(callbackHandler, (String) properties.get(CONFIG_REALM), false);
return new BasicAuthenticationMechanism(callbackHandler, (String) properties.get(CONFIG_REALM), Boolean.valueOf((String) properties.get(SILENT)), false);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a minor comment, I think you could use Boolean.parseBoolean here instead.

@fjuma fjuma added the +1 FJ label Jan 14, 2019
@fjuma
Copy link
Contributor

fjuma commented Jan 14, 2019

@darranl I think we can go ahead and merge this one if it looks ok to you. (QE has finished pre-checking it.)

@darranl darranl added the +1 DAL label Jan 15, 2019
@darranl darranl merged commit cea0d34 into wildfly-security:master Jan 15, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mchoma mchoma mchoma left review comments

@fjuma fjuma fjuma approved these changes

Assignees
No one assigned
Labels
+1 DAL +1 FJ
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@Skyllarr @wildfly-ci @fjuma @mchoma @darranl