[aerogear-dev] Basic/Digest issue with the Controller or AG Security?

Matthias Wessendorf matzew at apache.org
Thu Jun 20 08:15:42 EDT 2013


I have tried an internal service, tried the similar like about (with
basic/curl)


curl -k --basic -b cookies.txt -c cookies.txt -u goodUser:goodPasswd "
https://something.redhat.com" -v

==> I get the protected page


curl -k --basic -b cookies.txt -c cookies.txt -u badUser:badPasswd "
https://something.redhat.com" -v

==> I am NOT getting the protected page :)


Not sure, but I do like the fact that the second curl is not successful :-)





On Thu, Jun 20, 2013 at 2:04 PM, Kris Borchers <kris at redhat.com> wrote:

> Isn't this how Basic auth works? Once you log in you get a cookie and you
> don't have to authenticate anymore until that cooke expires (usually at the
> end of a session). This is my experience in browsers at least and is how I
> would expect it to work. If I have a valid cookie, I should not have to log
> in again.
>
> On Jun 20, 2013, at 6:59 AM, Matthias Wessendorf <matzew at apache.org>
> wrote:
>
> Hi,
>
> when looking into HTTP Basic/Digest for iOS, Christos noticed a problem
> with that, on the Controller demo (using AG-Security).
>
> I have checked his issues and they are "visible" in cURL "environment" as
> well.
>
> Steps to reproduce
>
>    - Clone the AG-Controller demo<https://github.com/aerogear/aerogear-controller-demo>
>    - Update the web.xml to use the BASIC Filter (here<https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main/webapp/WEB-INF/web.xml#L34-L41>
>     and here<https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main/webapp/WEB-INF/web.xml#L78-L82>
>    ).
>    - Make *SURE* that the Digiest section is commented out :-)
>    - Deploy the WAR to your JBoss Application Server
>
> Now some tests with BASIC (and the default user john:123):
>
> curl -u "john:123" "http://localhost:8080/aerogear-controller-demo/autobots" -v
>
> This works, as expected!
>
> curl -u "john:007" "http://localhost:8080/aerogear-controller-demo/autobots" -v
>
> This does *NOT* work, as expected!
>  <https://gist.github.com/matzew/6111c42ff5d73f18097e#cookies->Cookies ?
>
> Christos and I noticed the server does return the Set-Cookie: response
> header, so the cookie can/will be stored on the client.
>
> Now let's do this:
>
> curl --basic -b cookies.txt -c cookies.txt -u john:123 \
> "http://localhost:8080/aerogear-controller-demo/autobots" -v
>
> Perfect, works as well
>
> But now, let's do this:
>
> curl --basic -b cookies.txt -c cookies.txt -u john:007 \
> "http://localhost:8080/aerogear-controller-demo/autobots" -v
>
> Unfortunatley, this works as well, since the session is reused, due to the
> cookies... So, when the session is stored on the client, it is possible to
> switch the credentials "on the fly".
>  <https://gist.github.com/matzew/6111c42ff5d73f18097e#question--comments>Question
> / Comments
>
>    -
>
>    Not really sure, but for Basic/Digest should the server really send
>    Set-Cookie: response header back to the client ?
>    -
>
>    Not sure this is something on the controller, AG-Security or even
>    PicketLink, but perhaps theSet-Cookie: could be removed, when sending
>    the response for Basic/Digest
>
> Ant thoughts on this ?
>
> --
> Matthias Wessendorf
>
> blog: http://matthiaswessendorf.wordpress.com/
> sessions: http://www.slideshare.net/mwessendorf
> twitter: http://twitter.com/mwessendorf
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>



-- 
Matthias Wessendorf

blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20130620/8b1b76a9/attachment.html 


More information about the aerogear-dev mailing list