[aerogear-dev] Basic/Digest issue with the Controller or AG Security?
Bruno Oliveira
bruno at abstractj.org
Thu Jun 20 11:03:19 EDT 2013
I have to reproduce the issue here. Set-Cookie doesn't belong to AGSec
or Controller.
Matthias Wessendorf wrote:
>
>
>
> On Thu, Jun 20, 2013 at 2:28 PM, Kris Borchers <kris at redhat.com
> <mailto:kris at redhat.com>> wrote:
>
> I can agree that sending incorrect credentials should not work. You
> shouldn't be sending credentials again if you have a valid cookie
> but if you do and they are wrong, I agree that you should not be
> authenticated. The question then is, should the cookie be
> invalidated or if I try again with the cookie but without
> credentials, should it work. I would probably lean toward
> invalidating the cookie and forcing the auth process to start over,
> I think.
>
>
> yep, I am with out there :)
>
>
> On Jun 20, 2013, at 7:15 AM, Matthias Wessendorf <matzew at apache.org
> <mailto:matzew at apache.org>> wrote:
>
>> I have tried an internal service, tried the similar like about
>> (with basic/curl)
>>
>> curl -k --basic -b cookies.txt -c cookies.txt -u
>> goodUser:goodPasswd "https://something.redhat.com
>> <https://something.redhat.com/>" -v
>>
>> ==> I get the protected page
>>
>>
>> curl -k --basic -b cookies.txt -c cookies.txt -u badUser:badPasswd
>> "https://something.redhat.com <https://something.redhat.com/>" -v
>>
>> ==> I am NOT getting the protected page :)
>>
>>
>> Not sure, but I do like the fact that the second curl is not
>> successful :-)
>>
>>
>>
>>
>>
>> On Thu, Jun 20, 2013 at 2:04 PM, Kris Borchers <kris at redhat.com
>> <mailto:kris at redhat.com>> wrote:
>>
>> Isn't this how Basic auth works? Once you log in you get a
>> cookie and you don't have to authenticate anymore until that
>> cooke expires (usually at the end of a session). This is my
>> experience in browsers at least and is how I would expect it
>> to work. If I have a valid cookie, I should not have to log in
>> again.
>>
>> On Jun 20, 2013, at 6:59 AM, Matthias Wessendorf
>> <matzew at apache.org <mailto:matzew at apache.org>> wrote:
>>
>>> Hi,
>>>
>>> when looking into HTTP Basic/Digest for iOS, Christos noticed
>>> a problem with that, on the Controller demo (using AG-Security).
>>>
>>> I have checked his issues and they are "visible" in cURL
>>> "environment" as well.
>>>
>>> Steps to reproduce
>>>
>>> * Clone the AG-Controller demo
>>> <https://github.com/aerogear/aerogear-controller-demo>
>>> * Update the |web.xml| to use the BASIC Filter (here
>>> <https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main/webapp/WEB-INF/web.xml#L34-L41> and
>>> here
>>> <https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main/webapp/WEB-INF/web.xml#L78-L82>).
>>> * Make /*SURE*/ that the Digiest section is commented out :-)
>>> * Deploy the |WAR| to your JBoss Application Server
>>>
>>> Now some tests with BASIC (and the default user |john:123|):
>>>
>>> |curl -u"john:123" "http://localhost:8080/aerogear-controller-demo/autobots" -v
>>> |
>>>
>>> This works, as expected!
>>>
>>> |curl -u"john:007" "http://localhost:8080/aerogear-controller-demo/autobots" -v
>>> |
>>>
>>> This does /*NOT*/ work, as expected!
>>>
>>>
>>> <https://gist.github.com/matzew/6111c42ff5d73f18097e#cookies->Cookies
>>> ?
>>>
>>> Christos and I noticed the server does return the
>>> |Set-Cookie:| response header, so the cookie can/will be
>>> stored on the client.
>>>
>>> Now let's do this:
>>>
>>> |curl --basic -b cookies.txt -c cookies.txt -u john:123 \
>>> "http://localhost:8080/aerogear-controller-demo/autobots" -v
>>> |
>>>
>>> Perfect, works as well
>>>
>>> But now, let's do this:
>>>
>>> |curl --basic -b cookies.txt -c cookies.txt -u john:007 \
>>> "http://localhost:8080/aerogear-controller-demo/autobots" -v
>>> |
>>>
>>> Unfortunatley, this works as well, since the session is
>>> reused, due to the cookies... So, when the session is stored
>>> on the client, it is possible to switch the credentials "on
>>> the fly".
>>>
>>>
>>> <https://gist.github.com/matzew/6111c42ff5d73f18097e#question--comments>Question
>>> / Comments
>>>
>>> *
>>>
>>> Not really sure, but for Basic/Digest should the server
>>> really send |Set-Cookie:| response header back to the
>>> client ?
>>>
>>> *
>>>
>>> Not sure this is something on the controller, AG-Security
>>> or even PicketLink, but perhaps the|Set-Cookie:| could be
>>> removed, when sending the response for Basic/Digest
>>>
>>> Ant thoughts on this ?
>>>
>>> --
>>> Matthias Wessendorf
>>>
>>> blog: http://matthiaswessendorf.wordpress.com/
>>> sessions: http://www.slideshare.net/mwessendorf
>>> twitter: http://twitter.com/mwessendorf
>>> _______________________________________________
>>> aerogear-dev mailing list
>>> aerogear-dev at lists.jboss.org
>>> <mailto:aerogear-dev at lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>
>>
>> _______________________________________________
>> aerogear-dev mailing list
>> aerogear-dev at lists.jboss.org <mailto:aerogear-dev at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>
>>
>>
>>
>> --
>> Matthias Wessendorf
>>
>> blog: http://matthiaswessendorf.wordpress.com/
>> sessions: http://www.slideshare.net/mwessendorf
>> twitter: http://twitter.com/mwessendorf
>> _______________________________________________
>> aerogear-dev mailing list
>> aerogear-dev at lists.jboss.org <mailto:aerogear-dev at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org <mailto:aerogear-dev at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
>
>
> --
> Matthias Wessendorf
>
> blog: http://matthiaswessendorf.wordpress.com/
> sessions: http://www.slideshare.net/mwessendorf
> twitter: http://twitter.com/mwessendorf
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
--
abstractj
More information about the aerogear-dev
mailing list