<div dir="ltr"><p style="margin-right:0px;margin-bottom:15px;margin-left:0px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px;margin-top:0px!important">
Hi,</p><p style="margin:15px 0px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">when looking into HTTP Basic/Digest for iOS, Christos noticed a problem with that, on the Controller demo (using AG-Security).</p>
<p style="margin:15px 0px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">I have checked his issues and they are &quot;visible&quot; in cURL &quot;environment&quot; as well.</p>
<p style="margin:15px 0px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">Steps to reproduce</p><ul style="margin:15px 0px;padding:0px 0px 0px 30px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">
<li>Clone the <a href="https://github.com/aerogear/aerogear-controller-demo" style="color:rgb(65,131,196);text-decoration:none">AG-Controller demo</a></li><li>Update the <code style="font-family:Consolas,&#39;Liberation Mono&#39;,Courier,monospace;font-size:12px;line-height:normal;margin:0px 2px;padding:0px 5px;border:1px solid rgb(221,221,221);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;white-space:nowrap">web.xml</code> to use the BASIC Filter (<a href="https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main/webapp/WEB-INF/web.xml#L34-L41" style="color:rgb(65,131,196);text-decoration:none">here</a> and <a href="https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main/webapp/WEB-INF/web.xml#L78-L82" style="color:rgb(65,131,196);text-decoration:none">here</a>).</li>
<li>Make <em><strong>SURE</strong></em> that the Digiest section is commented out :-)</li><li>Deploy the <code style="font-family:Consolas,&#39;Liberation Mono&#39;,Courier,monospace;font-size:12px;line-height:normal;margin:0px 2px;padding:0px 5px;border:1px solid rgb(221,221,221);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;white-space:nowrap">WAR</code> to your JBoss Application Server</li>
</ul><p style="margin:15px 0px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">Now some tests with BASIC (and the default user <code style="font-family:Consolas,&#39;Liberation Mono&#39;,Courier,monospace;font-size:12px;line-height:normal;margin:0px 2px;padding:0px 5px;border:1px solid rgb(221,221,221);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;white-space:nowrap">john:123</code>):</p>
<pre style="font-family:Consolas,&#39;Liberation Mono&#39;,Courier,monospace;font-size:13px;line-height:19px;margin-top:15px;margin-bottom:15px;background-color:rgb(248,248,248);border:1px solid rgb(221,221,221);overflow:auto;padding:6px 10px;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;color:rgb(0,0,0)">
<code style="font-family:Consolas,&#39;Liberation Mono&#39;,Courier,monospace;font-size:12px;line-height:normal;margin:0px;padding:0px;border:none;background-color:transparent;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px">curl -u &quot;john:123&quot; &quot;<a href="http://localhost:8080/aerogear-controller-demo/autobots">http://localhost:8080/aerogear-controller-demo/autobots</a>&quot; -v
</code></pre><p style="margin:15px 0px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">This works, as expected!</p><pre style="font-family:Consolas,&#39;Liberation Mono&#39;,Courier,monospace;font-size:13px;line-height:19px;margin-top:15px;margin-bottom:15px;background-color:rgb(248,248,248);border:1px solid rgb(221,221,221);overflow:auto;padding:6px 10px;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;color:rgb(0,0,0)">
<code style="font-family:Consolas,&#39;Liberation Mono&#39;,Courier,monospace;font-size:12px;line-height:normal;margin:0px;padding:0px;border:none;background-color:transparent;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px">curl -u &quot;john:007&quot; &quot;<a href="http://localhost:8080/aerogear-controller-demo/autobots">http://localhost:8080/aerogear-controller-demo/autobots</a>&quot; -v
</code></pre><p style="margin:15px 0px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">This does <em><strong>NOT</strong></em> work, as expected!</p>
<h3 style="margin:1em 0px 15px;padding:0px;font-size:1.5em;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif"><a name="cookies-" class="" href="https://gist.github.com/matzew/6111c42ff5d73f18097e#cookies-" style="color:rgb(65,131,196);text-decoration:none;display:block;padding-left:30px"><span class=""></span></a>Cookies ?</h3>
<p style="margin:15px 0px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">Christos and I noticed the server does return the <code style="font-family:Consolas,&#39;Liberation Mono&#39;,Courier,monospace;font-size:12px;line-height:normal;margin:0px 2px;padding:0px 5px;border:1px solid rgb(221,221,221);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;white-space:nowrap">Set-Cookie:</code> response header, so the cookie can/will be stored on the client.</p>
<p style="margin:15px 0px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">Now let&#39;s do this:</p><pre style="font-family:Consolas,&#39;Liberation Mono&#39;,Courier,monospace;font-size:13px;line-height:19px;margin-top:15px;margin-bottom:15px;background-color:rgb(248,248,248);border:1px solid rgb(221,221,221);overflow:auto;padding:6px 10px;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;color:rgb(0,0,0)">
<code style="font-family:Consolas,&#39;Liberation Mono&#39;,Courier,monospace;font-size:12px;line-height:normal;margin:0px;padding:0px;border:none;background-color:transparent;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px">curl --basic -b cookies.txt -c cookies.txt -u john:123 \
&quot;<a href="http://localhost:8080/aerogear-controller-demo/autobots">http://localhost:8080/aerogear-controller-demo/autobots</a>&quot; -v
</code></pre><p style="margin:15px 0px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">Perfect, works as well</p><p style="margin:15px 0px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">
But now, let&#39;s do this:</p><pre style="font-family:Consolas,&#39;Liberation Mono&#39;,Courier,monospace;font-size:13px;line-height:19px;margin-top:15px;margin-bottom:15px;background-color:rgb(248,248,248);border:1px solid rgb(221,221,221);overflow:auto;padding:6px 10px;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;color:rgb(0,0,0)">
<code style="font-family:Consolas,&#39;Liberation Mono&#39;,Courier,monospace;font-size:12px;line-height:normal;margin:0px;padding:0px;border:none;background-color:transparent;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px">curl --basic -b cookies.txt -c cookies.txt -u john:007 \
&quot;<a href="http://localhost:8080/aerogear-controller-demo/autobots">http://localhost:8080/aerogear-controller-demo/autobots</a>&quot; -v
</code></pre><p style="margin:15px 0px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">Unfortunatley, this works as well, since the session is reused, due to the cookies... So, when the session is stored on the client, it is possible to switch the credentials &quot;on the fly&quot;.</p>
<h2 style="margin:1em 0px 15px;padding:0px;font-size:2em;border-bottom-width:1px;border-bottom-style:solid;border-bottom-color:rgb(238,238,238);color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif"><a name="question--comments" class="" href="https://gist.github.com/matzew/6111c42ff5d73f18097e#question--comments" style="color:rgb(65,131,196);text-decoration:none;display:block;padding-left:30px"><span class=""></span></a>Question / Comments</h2>
<ul style="margin-top:15px;margin-right:0px;margin-left:0px;padding:0px 0px 0px 30px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px;margin-bottom:0px!important">
<li><p style="margin:15px 0px">Not really sure, but for Basic/Digest should the server really send <code style="font-family:Consolas,&#39;Liberation Mono&#39;,Courier,monospace;font-size:12px;line-height:normal;margin:0px 2px;padding:0px 5px;border:1px solid rgb(221,221,221);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;white-space:nowrap">Set-Cookie:</code> response header back to the client ?</p>
</li><li><p style="margin:15px 0px">Not sure this is something on the controller, AG-Security or even PicketLink, but perhaps the<code style="font-family:Consolas,&#39;Liberation Mono&#39;,Courier,monospace;font-size:12px;line-height:normal;margin:0px 2px;padding:0px 5px;border:1px solid rgb(221,221,221);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;white-space:nowrap">Set-Cookie:</code> could be removed, when sending the response for Basic/Digest</p>
</li></ul><div><span style="color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15px;line-height:22.71875px">Ant thoughts on this ?</span><br></div><div><br></div>-- <br>Matthias Wessendorf <br>
<br>blog: <a href="http://matthiaswessendorf.wordpress.com/" target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>sessions: <a href="http://www.slideshare.net/mwessendorf" target="_blank">http://www.slideshare.net/mwessendorf</a><br>
twitter: <a href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a>
</div>