<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 06/20/2013 08:28 AM, Kris Borchers
wrote:<br>
</div>
<blockquote
cite="mid:EC0C7B95-297B-46D2-BE6D-FA8B41D56F92@redhat.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
I can agree that sending incorrect credentials should not work.
You shouldn't be sending credentials again if you have a valid
cookie but if you do and they are wrong, I agree that you should
not be authenticated. The question then is, should the cookie be
invalidated or if I try again with the cookie but without
credentials, should it work. I would probably lean toward
invalidating the cookie and forcing the auth process to start
over, I think.</blockquote>
That makes the most sense. HTTP Basic doesn't require a cookie so
whatever we do here is rather arbitrary...<br>
<blockquote
cite="mid:EC0C7B95-297B-46D2-BE6D-FA8B41D56F92@redhat.com"
type="cite">
<div><br>
<div>
<div>On Jun 20, 2013, at 7:15 AM, Matthias Wessendorf <<a
moz-do-not-send="true" href="mailto:matzew@apache.org">matzew@apache.org</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<div dir="ltr">I have tried an internal service, tried the
similar like about (with basic/curl)
<div> </div>
<div><br>
</div>
<div>
<div>curl -k --basic -b cookies.txt -c cookies.txt -u
goodUser:goodPasswd "<a moz-do-not-send="true"
href="https://something.redhat.com/">https://something.redhat.com</a>"
-v</div>
<div><br>
</div>
<div>==> I get the protected page</div>
<div><br>
</div>
<div><br>
</div>
<div>curl -k --basic -b cookies.txt -c cookies.txt -u
badUser:badPasswd "<a moz-do-not-send="true"
href="https://something.redhat.com/">https://something.redhat.com</a>"
-v</div>
<div><br>
</div>
<div>==> I am NOT getting the protected page :)</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div style="">Not sure, but I do like the fact that the
second curl is not successful :-)</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Thu, Jun 20, 2013 at 2:04 PM,
Kris Borchers <span dir="ltr"><<a
moz-do-not-send="true" href="mailto:kris@redhat.com"
target="_blank">kris@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word">Isn't this how Basic
auth works? Once you log in you get a cookie and you
don't have to authenticate anymore until that cooke
expires (usually at the end of a session). This is
my experience in browsers at least and is how I
would expect it to work. If I have a valid cookie, I
should not have to log in again.
<div>
<br>
<div>
<div>
<div class="h5">
<div>On Jun 20, 2013, at 6:59 AM, Matthias
Wessendorf <<a moz-do-not-send="true"
href="mailto:matzew@apache.org"
target="_blank">matzew@apache.org</a>>
wrote:</div>
<br>
</div>
</div>
<blockquote type="cite">
<div>
<div class="h5">
<div dir="ltr">
<p
style="margin-right:0px;margin-bottom:15px;margin-left:0px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px;margin-top:0px!important">Hi,</p>
<p style="margin:15px
0px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">when
looking into HTTP Basic/Digest for
iOS, Christos noticed a problem with
that, on the Controller demo (using
AG-Security).</p>
<p style="margin:15px
0px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">I
have checked his issues and they are
"visible" in cURL "environment" as
well.</p>
<p style="margin:15px
0px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">Steps
to reproduce</p>
<ul style="margin:15px 0px;padding:0px
0px 0px
30px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">
<li>Clone the <a
moz-do-not-send="true"
href="https://github.com/aerogear/aerogear-controller-demo"
style="color:rgb(65,131,196);text-decoration:none" target="_blank">AG-Controller
demo</a></li>
<li>Update the <code
style="font-family:Consolas,'Liberation
Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px
2px;padding:0px 5px;border:1px
solid
rgb(221,221,221);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;white-space:nowrap">web.xml</code> to
use the BASIC Filter (<a
moz-do-not-send="true"
href="https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main/webapp/WEB-INF/web.xml#L34-L41"
style="color:rgb(65,131,196);text-decoration:none" target="_blank">here</a> and <a
moz-do-not-send="true"
href="https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main/webapp/WEB-INF/web.xml#L78-L82"
style="color:rgb(65,131,196);text-decoration:none" target="_blank">here</a>).</li>
<li>Make <em><strong>SURE</strong></em> that
the Digiest section is commented out
:-)</li>
<li>Deploy the <code
style="font-family:Consolas,'Liberation
Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px
2px;padding:0px 5px;border:1px
solid
rgb(221,221,221);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;white-space:nowrap">WAR</code> to
your JBoss Application Server</li>
</ul>
<p style="margin:15px
0px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">Now
some tests with BASIC (and the default
user <code
style="font-family:Consolas,'Liberation
Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px
2px;padding:0px 5px;border:1px solid
rgb(221,221,221);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;white-space:nowrap">john:123</code>):</p>
<pre style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:13px;line-height:19px;margin-top:15px;margin-bottom:15px;background-color:rgb(248,248,248);border:1px solid rgb(221,221,221);overflow:auto;padding:6px 10px;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px"><code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px;padding:0px;border:none;background-color:transparent;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px">curl -u "john:123" "<a moz-do-not-send="true" href="http://localhost:8080/aerogear-controller-demo/autobots" target="_blank">http://localhost:8080/aerogear-controller-demo/autobots</a>" -v
</code></pre>
<p style="margin:15px
0px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">This
works, as expected!</p>
<pre style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:13px;line-height:19px;margin-top:15px;margin-bottom:15px;background-color:rgb(248,248,248);border:1px solid rgb(221,221,221);overflow:auto;padding:6px 10px;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px"><code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px;padding:0px;border:none;background-color:transparent;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px">curl -u "john:007" "<a moz-do-not-send="true" href="http://localhost:8080/aerogear-controller-demo/autobots" target="_blank">http://localhost:8080/aerogear-controller-demo/autobots</a>" -v
</code></pre>
<p style="margin:15px
0px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">This
does <em><strong>NOT</strong></em> work,
as expected!</p>
<h3 style="margin:1em 0px
15px;padding:0px;font-size:1.5em;font-family:Helvetica,arial,freesans,clean,sans-serif"><a
moz-do-not-send="true"
name="13f61795dc452443_cookies-"
href="https://gist.github.com/matzew/6111c42ff5d73f18097e#cookies-"
style="color:rgb(65,131,196);text-decoration:none;display:block;padding-left:30px"
target="_blank"><span></span></a>Cookies
?</h3>
<p style="margin:15px
0px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">Christos
and I noticed the server does return
the <code
style="font-family:Consolas,'Liberation
Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px
2px;padding:0px 5px;border:1px solid
rgb(221,221,221);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;white-space:nowrap">Set-Cookie:</code> response
header, so the cookie can/will be
stored on the client.</p>
<p style="margin:15px
0px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">Now
let's do this:</p>
<pre style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:13px;line-height:19px;margin-top:15px;margin-bottom:15px;background-color:rgb(248,248,248);border:1px solid rgb(221,221,221);overflow:auto;padding:6px 10px;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px"><code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px;padding:0px;border:none;background-color:transparent;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px">curl --basic -b cookies.txt -c cookies.txt -u john:123 \
"<a moz-do-not-send="true" href="http://localhost:8080/aerogear-controller-demo/autobots" target="_blank">http://localhost:8080/aerogear-controller-demo/autobots</a>" -v
</code></pre>
<p style="margin:15px
0px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">Perfect,
works as well</p>
<p style="margin:15px
0px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">But
now, let's do this:</p>
<pre style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:13px;line-height:19px;margin-top:15px;margin-bottom:15px;background-color:rgb(248,248,248);border:1px solid rgb(221,221,221);overflow:auto;padding:6px 10px;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px"><code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px;padding:0px;border:none;background-color:transparent;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px">curl --basic -b cookies.txt -c cookies.txt -u john:007 \
"<a moz-do-not-send="true" href="http://localhost:8080/aerogear-controller-demo/autobots" target="_blank">http://localhost:8080/aerogear-controller-demo/autobots</a>" -v
</code></pre>
<p style="margin:15px
0px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">Unfortunatley,
this works as well, since the session
is reused, due to the cookies... So,
when the session is stored on the
client, it is possible to switch the
credentials "on the fly".</p>
<h2 style="margin:1em 0px
15px;padding:0px;font-size:2em;border-bottom-width:1px;border-bottom-style:solid;border-bottom-color:rgb(238,238,238);font-family:Helvetica,arial,freesans,clean,sans-serif"><a
moz-do-not-send="true"
name="13f61795dc452443_question--comments"
href="https://gist.github.com/matzew/6111c42ff5d73f18097e#question--comments"
style="color:rgb(65,131,196);text-decoration:none;display:block;padding-left:30px"
target="_blank"><span></span></a>Question
/ Comments</h2>
<ul
style="margin-top:15px;margin-right:0px;margin-left:0px;padding:0px
0px 0px
30px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px;margin-bottom:0px!important">
<li>
<p style="margin:15px 0px">Not
really sure, but for Basic/Digest
should the server really send <code
style="font-family:Consolas,'Liberation
Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px
2px;padding:0px 5px;border:1px
solid
rgb(221,221,221);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;white-space:nowrap">Set-Cookie:</code> response
header back to the client ?</p>
</li>
<li>
<p style="margin:15px 0px">Not sure
this is something on the
controller, AG-Security or even
PicketLink, but perhaps the<code
style="font-family:Consolas,'Liberation
Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px
2px;padding:0px 5px;border:1px
solid
rgb(221,221,221);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;white-space:nowrap">Set-Cookie:</code> could
be removed, when sending the
response for Basic/Digest</p>
</li>
</ul>
<div><span
style="font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15px;line-height:22.71875px">Ant
thoughts on this ?</span><br>
</div>
<div><br>
</div>
-- <br>
Matthias Wessendorf <br>
<br>
blog: <a moz-do-not-send="true"
href="http://matthiaswessendorf.wordpress.com/"
target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>
sessions: <a moz-do-not-send="true"
href="http://www.slideshare.net/mwessendorf"
target="_blank">http://www.slideshare.net/mwessendorf</a><br>
twitter: <a moz-do-not-send="true"
href="http://twitter.com/mwessendorf"
target="_blank">http://twitter.com/mwessendorf</a>
</div>
</div>
</div>
_______________________________________________<br>
aerogear-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:aerogear-dev@lists.jboss.org"
target="_blank">aerogear-dev@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/aerogear-dev"
target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a></blockquote>
</div>
<br>
</div>
</div>
<br>
_______________________________________________<br>
aerogear-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/aerogear-dev"
target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
Matthias Wessendorf <br>
<br>
blog: <a moz-do-not-send="true"
href="http://matthiaswessendorf.wordpress.com/"
target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>
sessions: <a moz-do-not-send="true"
href="http://www.slideshare.net/mwessendorf"
target="_blank">http://www.slideshare.net/mwessendorf</a><br>
twitter: <a moz-do-not-send="true"
href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a>
</div>
_______________________________________________<br>
aerogear-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/aerogear-dev">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a></blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
aerogear-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/aerogear-dev">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a></pre>
</blockquote>
<br>
</body>
</html>