You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In the current setup of WSO2 IS 5.11.0, the configuration in web.xml is overly broad, applying authentication restrictions globally to all server endpoints due to the /. This blocks access to critical OAuth2 endpoints, such as /oauth2/authorize, resulting in a 403 Forbidden response.
The issue arises because the configuration is intended to protect the admin console (/carbon/*) when using IWA-NTLM (Integrated Windows Authentication with NTLM), but it unintentionally affects unrelated endpoints like /oauth2/authorize.
Steps to Reproduce
Enable the IWA-NTLM authenticator for the admin console by manually modifying the web.xml file. Add the following block:
Description
In the current setup of WSO2 IS 5.11.0, the configuration in web.xml is overly broad, applying authentication restrictions globally to all server endpoints due to the /. This blocks access to critical OAuth2 endpoints, such as /oauth2/authorize, resulting in a 403 Forbidden response.
The issue arises because the configuration is intended to protect the admin console (/carbon/*) when using IWA-NTLM (Integrated Windows Authentication with NTLM), but it unintentionally affects unrelated endpoints like /oauth2/authorize.
Steps to Reproduce
(This block is generated by the following template web.xml.j2:)
Restart WSO2 IS.
Attempt to access /oauth2/authorize.
Observe the 403 Forbidden response and no relevant logs in wso2carbon.log.
Note: the scenario is without the use of deployment.toml file.
Version
5.11.0
Environment Details (with versions)
No response
The text was updated successfully, but these errors were encountered: