<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">On 06/20/2013 08:28 AM, Kris Borchers
      wrote:<br>
    </div>
    <blockquote
      cite="mid:EC0C7B95-297B-46D2-BE6D-FA8B41D56F92@redhat.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=ISO-8859-1">
      I can agree that sending incorrect credentials should not work.
      You shouldn't be sending credentials again if you have a valid
      cookie but if you do and they are wrong, I agree that you should
      not be authenticated. The question then is, should the cookie be
      invalidated or if I try again with the cookie but without
      credentials, should it work. I would probably lean toward
      invalidating the cookie and forcing the auth process to start
      over, I think.</blockquote>
    That makes the most sense.&nbsp; HTTP Basic doesn't require a cookie so
    whatever we do here is rather arbitrary...<br>
    <blockquote
      cite="mid:EC0C7B95-297B-46D2-BE6D-FA8B41D56F92@redhat.com"
      type="cite">
      <div><br>
        <div>
          <div>On Jun 20, 2013, at 7:15 AM, Matthias Wessendorf &lt;<a
              moz-do-not-send="true" href="mailto:matzew@apache.org">matzew@apache.org</a>&gt;
            wrote:</div>
          <br class="Apple-interchange-newline">
          <blockquote type="cite">
            <div dir="ltr">I have tried an internal service, tried the
              similar like about (with basic/curl)
              <div>&nbsp;</div>
              <div><br>
              </div>
              <div>
                <div>curl -k --basic -b cookies.txt -c cookies.txt -u
                  goodUser:goodPasswd "<a moz-do-not-send="true"
                    href="https://something.redhat.com/">https://something.redhat.com</a>"
                  -v</div>
                <div><br>
                </div>
                <div>==&gt; I get the protected page</div>
                <div><br>
                </div>
                <div><br>
                </div>
                <div>curl -k --basic -b cookies.txt -c cookies.txt -u
                  badUser:badPasswd "<a moz-do-not-send="true"
                    href="https://something.redhat.com/">https://something.redhat.com</a>"
                  -v</div>
                <div><br>
                </div>
                <div>==&gt; I am NOT getting the protected page :)</div>
              </div>
              <div><br>
              </div>
              <div><br>
              </div>
              <div style="">Not sure, but I do like the fact that the
                second curl is not successful :-)</div>
              <div><br>
              </div>
              <div><br>
              </div>
              <div><br>
              </div>
            </div>
            <div class="gmail_extra"><br>
              <br>
              <div class="gmail_quote">On Thu, Jun 20, 2013 at 2:04 PM,
                Kris Borchers <span dir="ltr">&lt;<a
                    moz-do-not-send="true" href="mailto:kris@redhat.com"
                    target="_blank">kris@redhat.com</a>&gt;</span>
                wrote:<br>
                <blockquote class="gmail_quote" style="margin:0 0 0
                  .8ex;border-left:1px #ccc solid;padding-left:1ex">
                  <div style="word-wrap:break-word">Isn't this how Basic
                    auth works? Once you log in you get a cookie and you
                    don't have to authenticate anymore until that cooke
                    expires (usually at the end of a session). This is
                    my experience in browsers at least and is how I
                    would expect it to work. If I have a valid cookie, I
                    should not have to log in again.
                    <div>
                      <br>
                      <div>
                        <div>
                          <div class="h5">
                            <div>On Jun 20, 2013, at 6:59 AM, Matthias
                              Wessendorf &lt;<a moz-do-not-send="true"
                                href="mailto:matzew@apache.org"
                                target="_blank">matzew@apache.org</a>&gt;
                              wrote:</div>
                            <br>
                          </div>
                        </div>
                        <blockquote type="cite">
                          <div>
                            <div class="h5">
                              <div dir="ltr">
                                <p
style="margin-right:0px;margin-bottom:15px;margin-left:0px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px;margin-top:0px!important">Hi,</p>
                                <p style="margin:15px
0px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">when
                                  looking into HTTP Basic/Digest for
                                  iOS, Christos noticed a problem with
                                  that, on the Controller demo (using
                                  AG-Security).</p>
                                <p style="margin:15px
0px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">I
                                  have checked his issues and they are
                                  "visible" in cURL "environment" as
                                  well.</p>
                                <p style="margin:15px
0px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">Steps
                                  to reproduce</p>
                                <ul style="margin:15px 0px;padding:0px
                                  0px 0px
30px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">
                                  <li>Clone the&nbsp;<a
                                      moz-do-not-send="true"
                                      href="https://github.com/aerogear/aerogear-controller-demo"
style="color:rgb(65,131,196);text-decoration:none" target="_blank">AG-Controller
                                      demo</a></li>
                                  <li>Update the&nbsp;<code
                                      style="font-family:Consolas,'Liberation
                                      Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px
                                      2px;padding:0px 5px;border:1px
                                      solid
rgb(221,221,221);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;white-space:nowrap">web.xml</code>&nbsp;to
                                    use the BASIC Filter (<a
                                      moz-do-not-send="true"
href="https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main/webapp/WEB-INF/web.xml#L34-L41"
style="color:rgb(65,131,196);text-decoration:none" target="_blank">here</a>&nbsp;and&nbsp;<a
                                      moz-do-not-send="true"
href="https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main/webapp/WEB-INF/web.xml#L78-L82"
style="color:rgb(65,131,196);text-decoration:none" target="_blank">here</a>).</li>
                                  <li>Make&nbsp;<em><strong>SURE</strong></em>&nbsp;that
                                    the Digiest section is commented out
                                    :-)</li>
                                  <li>Deploy the&nbsp;<code
                                      style="font-family:Consolas,'Liberation
                                      Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px
                                      2px;padding:0px 5px;border:1px
                                      solid
rgb(221,221,221);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;white-space:nowrap">WAR</code>&nbsp;to
                                    your JBoss Application Server</li>
                                </ul>
                                <p style="margin:15px
0px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">Now
                                  some tests with BASIC (and the default
                                  user&nbsp;<code
                                    style="font-family:Consolas,'Liberation
                                    Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px
                                    2px;padding:0px 5px;border:1px solid
rgb(221,221,221);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;white-space:nowrap">john:123</code>):</p>
                                <pre style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:13px;line-height:19px;margin-top:15px;margin-bottom:15px;background-color:rgb(248,248,248);border:1px solid rgb(221,221,221);overflow:auto;padding:6px 10px;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px"><code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px;padding:0px;border:none;background-color:transparent;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px">curl -u "john:123" "<a moz-do-not-send="true" href="http://localhost:8080/aerogear-controller-demo/autobots" target="_blank">http://localhost:8080/aerogear-controller-demo/autobots</a>" -v
</code></pre>
                                <p style="margin:15px
0px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">This
                                  works, as expected!</p>
                                <pre style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:13px;line-height:19px;margin-top:15px;margin-bottom:15px;background-color:rgb(248,248,248);border:1px solid rgb(221,221,221);overflow:auto;padding:6px 10px;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px"><code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px;padding:0px;border:none;background-color:transparent;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px">curl -u "john:007" "<a moz-do-not-send="true" href="http://localhost:8080/aerogear-controller-demo/autobots" target="_blank">http://localhost:8080/aerogear-controller-demo/autobots</a>" -v
</code></pre>
                                <p style="margin:15px
0px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">This
                                  does&nbsp;<em><strong>NOT</strong></em>&nbsp;work,
                                  as expected!</p>
                                <h3 style="margin:1em 0px
15px;padding:0px;font-size:1.5em;font-family:Helvetica,arial,freesans,clean,sans-serif"><a
                                    moz-do-not-send="true"
                                    name="13f61795dc452443_cookies-"
                                    href="https://gist.github.com/matzew/6111c42ff5d73f18097e#cookies-"
style="color:rgb(65,131,196);text-decoration:none;display:block;padding-left:30px"
                                    target="_blank"><span></span></a>Cookies
                                  ?</h3>
                                <p style="margin:15px
0px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">Christos
                                  and I noticed the server does return
                                  the&nbsp;<code
                                    style="font-family:Consolas,'Liberation
                                    Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px
                                    2px;padding:0px 5px;border:1px solid
rgb(221,221,221);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;white-space:nowrap">Set-Cookie:</code>&nbsp;response
                                  header, so the cookie can/will be
                                  stored on the client.</p>
                                <p style="margin:15px
0px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">Now
                                  let's do this:</p>
                                <pre style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:13px;line-height:19px;margin-top:15px;margin-bottom:15px;background-color:rgb(248,248,248);border:1px solid rgb(221,221,221);overflow:auto;padding:6px 10px;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px"><code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px;padding:0px;border:none;background-color:transparent;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px">curl --basic -b cookies.txt -c cookies.txt -u john:123 \
"<a moz-do-not-send="true" href="http://localhost:8080/aerogear-controller-demo/autobots" target="_blank">http://localhost:8080/aerogear-controller-demo/autobots</a>" -v
</code></pre>
                                <p style="margin:15px
0px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">Perfect,
                                  works as well</p>
                                <p style="margin:15px
0px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">But
                                  now, let's do this:</p>
                                <pre style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:13px;line-height:19px;margin-top:15px;margin-bottom:15px;background-color:rgb(248,248,248);border:1px solid rgb(221,221,221);overflow:auto;padding:6px 10px;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px"><code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px;padding:0px;border:none;background-color:transparent;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px">curl --basic -b cookies.txt -c cookies.txt -u john:007 \
"<a moz-do-not-send="true" href="http://localhost:8080/aerogear-controller-demo/autobots" target="_blank">http://localhost:8080/aerogear-controller-demo/autobots</a>" -v
</code></pre>
                                <p style="margin:15px
0px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">Unfortunatley,
                                  this works as well, since the session
                                  is reused, due to the cookies... So,
                                  when the session is stored on the
                                  client, it is possible to switch the
                                  credentials "on the fly".</p>
                                <h2 style="margin:1em 0px
15px;padding:0px;font-size:2em;border-bottom-width:1px;border-bottom-style:solid;border-bottom-color:rgb(238,238,238);font-family:Helvetica,arial,freesans,clean,sans-serif"><a
                                    moz-do-not-send="true"
                                    name="13f61795dc452443_question--comments"
href="https://gist.github.com/matzew/6111c42ff5d73f18097e#question--comments"
style="color:rgb(65,131,196);text-decoration:none;display:block;padding-left:30px"
                                    target="_blank"><span></span></a>Question
                                  / Comments</h2>
                                <ul
                                  style="margin-top:15px;margin-right:0px;margin-left:0px;padding:0px
                                  0px 0px
30px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px;margin-bottom:0px!important">
                                  <li>
                                    <p style="margin:15px 0px">Not
                                      really sure, but for Basic/Digest
                                      should the server really send&nbsp;<code
                                        style="font-family:Consolas,'Liberation
                                        Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px
                                        2px;padding:0px 5px;border:1px
                                        solid
rgb(221,221,221);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;white-space:nowrap">Set-Cookie:</code>&nbsp;response
                                      header back to the client ?</p>
                                  </li>
                                  <li>
                                    <p style="margin:15px 0px">Not sure
                                      this is something on the
                                      controller, AG-Security or even
                                      PicketLink, but perhaps the<code
                                        style="font-family:Consolas,'Liberation
                                        Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px
                                        2px;padding:0px 5px;border:1px
                                        solid
rgb(221,221,221);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;white-space:nowrap">Set-Cookie:</code>&nbsp;could
                                      be removed, when sending the
                                      response for Basic/Digest</p>
                                  </li>
                                </ul>
                                <div><span
style="font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15px;line-height:22.71875px">Ant
                                    thoughts on this ?</span><br>
                                </div>
                                <div><br>
                                </div>
                                -- <br>
                                Matthias Wessendorf <br>
                                <br>
                                blog: <a moz-do-not-send="true"
                                  href="http://matthiaswessendorf.wordpress.com/"
                                  target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>
                                sessions: <a moz-do-not-send="true"
                                  href="http://www.slideshare.net/mwessendorf"
                                  target="_blank">http://www.slideshare.net/mwessendorf</a><br>
                                twitter: <a moz-do-not-send="true"
                                  href="http://twitter.com/mwessendorf"
                                  target="_blank">http://twitter.com/mwessendorf</a>
                              </div>
                            </div>
                          </div>
_______________________________________________<br>
                          aerogear-dev mailing list<br>
                          <a moz-do-not-send="true"
                            href="mailto:aerogear-dev@lists.jboss.org"
                            target="_blank">aerogear-dev@lists.jboss.org</a><br>
                          <a moz-do-not-send="true"
                            href="https://lists.jboss.org/mailman/listinfo/aerogear-dev"
                            target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a></blockquote>
                      </div>
                      <br>
                    </div>
                  </div>
                  <br>
                  _______________________________________________<br>
                  aerogear-dev mailing list<br>
                  <a moz-do-not-send="true"
                    href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
                  <a moz-do-not-send="true"
                    href="https://lists.jboss.org/mailman/listinfo/aerogear-dev"
                    target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
                </blockquote>
              </div>
              <br>
              <br clear="all">
              <div><br>
              </div>
              -- <br>
              Matthias Wessendorf <br>
              <br>
              blog: <a moz-do-not-send="true"
                href="http://matthiaswessendorf.wordpress.com/"
                target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>
              sessions: <a moz-do-not-send="true"
                href="http://www.slideshare.net/mwessendorf"
                target="_blank">http://www.slideshare.net/mwessendorf</a><br>
              twitter: <a moz-do-not-send="true"
                href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a>
            </div>
            _______________________________________________<br>
            aerogear-dev mailing list<br>
            <a moz-do-not-send="true"
              href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
            <a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/aerogear-dev">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a></blockquote>
        </div>
        <br>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
aerogear-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/aerogear-dev">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a></pre>
    </blockquote>
    <br>
  </body>
</html>