We're migrating our JBoss 7.2 application to Wildfly 8.2 and have successfully migrated the app and our security domain configuration.  We're using picketlink and our own login module extending SAML2LoginModule to do SAML2 authentication via the "org.picketlink.identity.federation.bindings.wildfly.sp.SPServletExtension" as described here "WildFly Configuration - PicketLink - Project Documentation Editor" in the "Service Provider Configuration" section.

We get authenticated just fine when picketlink evaluates the SAML assertion.  However, our unprotected resources also redirect to the IDP URL as if they're protected as well.

This is not the case if we swap out picketlink for our development environment authentication method.  We use a "UsernamePasswordLoginModule" in development that only shows the login form for "webapp" resources that have "<auth-constraint>" defined in web.xml.

My assumption is that the "org.picketlink.identity.federation.bindings.wildfly.sp.SPServletExtension" takes over and is not bypassing authentication for the "<security-constraint>" sections that have no "<auth-constraint>" defined.

NOTE: The quickstart for "picketlink-federation-saml-sp-redirect-basic" (jboss-picketlink-quickstarts/picketlink-federation-saml-sp-redirect-basic at master · jboss-developer/jboss-picketlink-q…) seems to have the same issue if you add a "freezone" directory with a JSP file in it.  The "freezone" should not require authentication according to this quickstart's web.xml config.

Thank you for any help working around this (or validation that it is a known issue).