<html><head><meta http-equiv="Content-Type" content="text/html charset=iso-8859-1"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">I can agree that sending incorrect credentials should not work. You shouldn't be sending credentials again if you have a valid cookie but if you do and they are wrong, I agree that you should not be authenticated. The question then is, should the cookie be invalidated or if I try again with the cookie but without credentials, should it work. I would probably lean toward invalidating the cookie and forcing the auth process to start over, I think.<div><br><div><div>On Jun 20, 2013, at 7:15 AM, Matthias Wessendorf <<a href="mailto:matzew@apache.org">matzew@apache.org</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div dir="ltr">I have tried an internal service, tried the similar like about (with basic/curl)<div> </div><div><br></div><div><div>curl -k --basic -b cookies.txt -c cookies.txt -u goodUser:goodPasswd "<a href="https://something.redhat.com/">https://something.redhat.com</a>" -v</div>
<div><br></div><div>==> I get the protected page</div><div><br></div><div><br></div><div>curl -k --basic -b cookies.txt -c cookies.txt -u badUser:badPasswd "<a href="https://something.redhat.com/">https://something.redhat.com</a>" -v</div>
<div><br></div><div>==> I am NOT getting the protected page :)</div></div><div><br></div><div><br></div><div style="">Not sure, but I do like the fact that the second curl is not successful :-)</div><div><br></div><div><br>
</div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Jun 20, 2013 at 2:04 PM, Kris Borchers <span dir="ltr"><<a href="mailto:kris@redhat.com" target="_blank">kris@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word">Isn't this how Basic auth works? Once you log in you get a cookie and you don't have to authenticate anymore until that cooke expires (usually at the end of a session). This is my experience in browsers at least and is how I would expect it to work. If I have a valid cookie, I should not have to log in again.<div>
<br><div><div><div class="h5"><div>On Jun 20, 2013, at 6:59 AM, Matthias Wessendorf <<a href="mailto:matzew@apache.org" target="_blank">matzew@apache.org</a>> wrote:</div><br></div></div><blockquote type="cite"><div>
<div class="h5"><div dir="ltr"><p style="margin-right:0px;margin-bottom:15px;margin-left:0px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px;margin-top:0px!important">
Hi,</p><p style="margin:15px 0px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">when looking into HTTP Basic/Digest for iOS, Christos noticed a problem with that, on the Controller demo (using AG-Security).</p><p style="margin:15px 0px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">I have checked his issues and they are "visible" in cURL "environment" as well.</p><p style="margin:15px 0px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">Steps to reproduce</p><ul style="margin:15px 0px;padding:0px 0px 0px 30px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">
<li>Clone the <a href="https://github.com/aerogear/aerogear-controller-demo" style="color:rgb(65,131,196);text-decoration:none" target="_blank">AG-Controller demo</a></li><li>Update the <code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px 2px;padding:0px 5px;border:1px solid rgb(221,221,221);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;white-space:nowrap">web.xml</code> to use the BASIC Filter (<a href="https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main/webapp/WEB-INF/web.xml#L34-L41" style="color:rgb(65,131,196);text-decoration:none" target="_blank">here</a> and <a href="https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main/webapp/WEB-INF/web.xml#L78-L82" style="color:rgb(65,131,196);text-decoration:none" target="_blank">here</a>).</li>
<li>Make <em><strong>SURE</strong></em> that the Digiest section is commented out :-)</li><li>Deploy the <code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px 2px;padding:0px 5px;border:1px solid rgb(221,221,221);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;white-space:nowrap">WAR</code> to your JBoss Application Server</li>
</ul><p style="margin:15px 0px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">Now some tests with BASIC (and the default user <code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px 2px;padding:0px 5px;border:1px solid rgb(221,221,221);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;white-space:nowrap">john:123</code>):</p>
<pre style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:13px;line-height:19px;margin-top:15px;margin-bottom:15px;background-color:rgb(248,248,248);border:1px solid rgb(221,221,221);overflow:auto;padding:6px 10px;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px"><code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px;padding:0px;border:none;background-color:transparent;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px">curl -u "john:123" "<a href="http://localhost:8080/aerogear-controller-demo/autobots" target="_blank">http://localhost:8080/aerogear-controller-demo/autobots</a>" -v
</code></pre><p style="margin:15px 0px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">This works, as expected!</p><pre style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:13px;line-height:19px;margin-top:15px;margin-bottom:15px;background-color:rgb(248,248,248);border:1px solid rgb(221,221,221);overflow:auto;padding:6px 10px;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px"><code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px;padding:0px;border:none;background-color:transparent;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px">curl -u "john:007" "<a href="http://localhost:8080/aerogear-controller-demo/autobots" target="_blank">http://localhost:8080/aerogear-controller-demo/autobots</a>" -v
</code></pre><p style="margin:15px 0px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">This does <em><strong>NOT</strong></em> work, as expected!</p>
<h3 style="margin:1em 0px 15px;padding:0px;font-size:1.5em;font-family:Helvetica,arial,freesans,clean,sans-serif"><a name="13f61795dc452443_cookies-" href="https://gist.github.com/matzew/6111c42ff5d73f18097e#cookies-" style="color:rgb(65,131,196);text-decoration:none;display:block;padding-left:30px" target="_blank"><span></span></a>Cookies ?</h3><p style="margin:15px 0px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">Christos and I noticed the server does return the <code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px 2px;padding:0px 5px;border:1px solid rgb(221,221,221);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;white-space:nowrap">Set-Cookie:</code> response header, so the cookie can/will be stored on the client.</p><p style="margin:15px 0px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">Now let's do this:</p><pre style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:13px;line-height:19px;margin-top:15px;margin-bottom:15px;background-color:rgb(248,248,248);border:1px solid rgb(221,221,221);overflow:auto;padding:6px 10px;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px"><code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px;padding:0px;border:none;background-color:transparent;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px">curl --basic -b cookies.txt -c cookies.txt -u john:123 \
"<a href="http://localhost:8080/aerogear-controller-demo/autobots" target="_blank">http://localhost:8080/aerogear-controller-demo/autobots</a>" -v
</code></pre><p style="margin:15px 0px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">Perfect, works as well</p><p style="margin:15px 0px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">
But now, let's do this:</p><pre style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:13px;line-height:19px;margin-top:15px;margin-bottom:15px;background-color:rgb(248,248,248);border:1px solid rgb(221,221,221);overflow:auto;padding:6px 10px;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px"><code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px;padding:0px;border:none;background-color:transparent;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px">curl --basic -b cookies.txt -c cookies.txt -u john:007 \
"<a href="http://localhost:8080/aerogear-controller-demo/autobots" target="_blank">http://localhost:8080/aerogear-controller-demo/autobots</a>" -v
</code></pre><p style="margin:15px 0px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">Unfortunatley, this works as well, since the session is reused, due to the cookies... So, when the session is stored on the client, it is possible to switch the credentials "on the fly".</p>
<h2 style="margin:1em 0px 15px;padding:0px;font-size:2em;border-bottom-width:1px;border-bottom-style:solid;border-bottom-color:rgb(238,238,238);font-family:Helvetica,arial,freesans,clean,sans-serif"><a name="13f61795dc452443_question--comments" href="https://gist.github.com/matzew/6111c42ff5d73f18097e#question--comments" style="color:rgb(65,131,196);text-decoration:none;display:block;padding-left:30px" target="_blank"><span></span></a>Question / Comments</h2>
<ul style="margin-top:15px;margin-right:0px;margin-left:0px;padding:0px 0px 0px 30px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px;margin-bottom:0px!important">
<li><p style="margin:15px 0px">Not really sure, but for Basic/Digest should the server really send <code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px 2px;padding:0px 5px;border:1px solid rgb(221,221,221);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;white-space:nowrap">Set-Cookie:</code> response header back to the client ?</p>
</li><li><p style="margin:15px 0px">Not sure this is something on the controller, AG-Security or even PicketLink, but perhaps the<code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px 2px;padding:0px 5px;border:1px solid rgb(221,221,221);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;white-space:nowrap">Set-Cookie:</code> could be removed, when sending the response for Basic/Digest</p>
</li></ul><div><span style="font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15px;line-height:22.71875px">Ant thoughts on this ?</span><br></div><div><br></div>-- <br>Matthias Wessendorf <br>
<br>blog: <a href="http://matthiaswessendorf.wordpress.com/" target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>sessions: <a href="http://www.slideshare.net/mwessendorf" target="_blank">http://www.slideshare.net/mwessendorf</a><br>
twitter: <a href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a>
</div></div></div>
_______________________________________________<br>aerogear-dev mailing list<br><a href="mailto:aerogear-dev@lists.jboss.org" target="_blank">aerogear-dev@lists.jboss.org</a><br><a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a></blockquote>
</div><br></div></div><br>_______________________________________________<br>
aerogear-dev mailing list<br>
<a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br>Matthias Wessendorf <br>
<br>blog: <a href="http://matthiaswessendorf.wordpress.com/" target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>sessions: <a href="http://www.slideshare.net/mwessendorf" target="_blank">http://www.slideshare.net/mwessendorf</a><br>
twitter: <a href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a>
</div>
_______________________________________________<br>aerogear-dev mailing list<br><a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>https://lists.jboss.org/mailman/listinfo/aerogear-dev</blockquote></div><br></div></body></html>