And in WildFly 11 did you use Elytron subsystem or legacy security subsystem?
In Elytron I believe Basic authentication is performed on each request. Browser provides credentials on each request. Accessing unprotected resource are you authenticated, in other word is output of request.getRemoteUser() expected?
What if you access first unprotected resource and then protected?
In legacy you can cache on security domain level so it will in theory solve your problem.
Can you paste your whole web.xml?
Yes I believe Elytron is being used since other than adding users and deploying my application I haven't made any configuration changes to wildlfy after downloading. And I do see the following logged on application startup
[org.wildfly.security] (ServerService Thread Pool -- 23) ELY00001: WildFly Elytron version 1.1.6.Final
I tried what you suggested, and the output of request.getRemoteUser() is null on an unprotected resource. If I access first an unprotected resource and then protected, then the getRemoteUser() is null on the unprotected then on the protected it is populated correctly (after authentication ofcourse).
The cache on security domain in legacy sounds like something to try. Do you have any more specifics on how I would go about this?
And web.xml for your reference:
If so (you did no changes in configuration), you are using legacy security solution. And I assume cache is on as your default security domain used is other and there is this line in your standalone.xml:
<security-domain name="other" cache-type="default">
What happens if you configure explicitely:
Does it behaves the same also with Elytron. You can switch to Elytron solution with:
I made the Guests configuration as suggested and it does result in the calls to request.isUserInRole("AdminUsers") returning true in paths not on the /admin/* pattern. The only downside is that it prompts for credentials on hitting any application path whereas we only need this from a user if they enter anything in the /admin/* path.
And the behaviour is the same after applying the Elytron solution.