<div dir="ltr"><p style="margin-right:0px;margin-bottom:15px;margin-left:0px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px;margin-top:0px!important">
Hi,</p><p style="margin:15px 0px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">when looking into HTTP Basic/Digest for iOS, Christos noticed a problem with that, on the Controller demo (using AG-Security).</p>
<p style="margin:15px 0px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">I have checked his issues and they are "visible" in cURL "environment" as well.</p>
<p style="margin:15px 0px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">Steps to reproduce</p><ul style="margin:15px 0px;padding:0px 0px 0px 30px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">
<li>Clone the <a href="https://github.com/aerogear/aerogear-controller-demo" style="color:rgb(65,131,196);text-decoration:none">AG-Controller demo</a></li><li>Update the <code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px 2px;padding:0px 5px;border:1px solid rgb(221,221,221);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;white-space:nowrap">web.xml</code> to use the BASIC Filter (<a href="https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main/webapp/WEB-INF/web.xml#L34-L41" style="color:rgb(65,131,196);text-decoration:none">here</a> and <a href="https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main/webapp/WEB-INF/web.xml#L78-L82" style="color:rgb(65,131,196);text-decoration:none">here</a>).</li>
<li>Make <em><strong>SURE</strong></em> that the Digiest section is commented out :-)</li><li>Deploy the <code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px 2px;padding:0px 5px;border:1px solid rgb(221,221,221);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;white-space:nowrap">WAR</code> to your JBoss Application Server</li>
</ul><p style="margin:15px 0px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">Now some tests with BASIC (and the default user <code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px 2px;padding:0px 5px;border:1px solid rgb(221,221,221);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;white-space:nowrap">john:123</code>):</p>
<pre style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:13px;line-height:19px;margin-top:15px;margin-bottom:15px;background-color:rgb(248,248,248);border:1px solid rgb(221,221,221);overflow:auto;padding:6px 10px;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;color:rgb(0,0,0)">
<code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px;padding:0px;border:none;background-color:transparent;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px">curl -u "john:123" "<a href="http://localhost:8080/aerogear-controller-demo/autobots">http://localhost:8080/aerogear-controller-demo/autobots</a>" -v
</code></pre><p style="margin:15px 0px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">This works, as expected!</p><pre style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:13px;line-height:19px;margin-top:15px;margin-bottom:15px;background-color:rgb(248,248,248);border:1px solid rgb(221,221,221);overflow:auto;padding:6px 10px;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;color:rgb(0,0,0)">
<code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px;padding:0px;border:none;background-color:transparent;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px">curl -u "john:007" "<a href="http://localhost:8080/aerogear-controller-demo/autobots">http://localhost:8080/aerogear-controller-demo/autobots</a>" -v
</code></pre><p style="margin:15px 0px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">This does <em><strong>NOT</strong></em> work, as expected!</p>
<h3 style="margin:1em 0px 15px;padding:0px;font-size:1.5em;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif"><a name="cookies-" class="" href="https://gist.github.com/matzew/6111c42ff5d73f18097e#cookies-" style="color:rgb(65,131,196);text-decoration:none;display:block;padding-left:30px"><span class=""></span></a>Cookies ?</h3>
<p style="margin:15px 0px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">Christos and I noticed the server does return the <code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px 2px;padding:0px 5px;border:1px solid rgb(221,221,221);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;white-space:nowrap">Set-Cookie:</code> response header, so the cookie can/will be stored on the client.</p>
<p style="margin:15px 0px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">Now let's do this:</p><pre style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:13px;line-height:19px;margin-top:15px;margin-bottom:15px;background-color:rgb(248,248,248);border:1px solid rgb(221,221,221);overflow:auto;padding:6px 10px;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;color:rgb(0,0,0)">
<code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px;padding:0px;border:none;background-color:transparent;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px">curl --basic -b cookies.txt -c cookies.txt -u john:123 \
"<a href="http://localhost:8080/aerogear-controller-demo/autobots">http://localhost:8080/aerogear-controller-demo/autobots</a>" -v
</code></pre><p style="margin:15px 0px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">Perfect, works as well</p><p style="margin:15px 0px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">
But now, let's do this:</p><pre style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:13px;line-height:19px;margin-top:15px;margin-bottom:15px;background-color:rgb(248,248,248);border:1px solid rgb(221,221,221);overflow:auto;padding:6px 10px;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;color:rgb(0,0,0)">
<code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px;padding:0px;border:none;background-color:transparent;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px">curl --basic -b cookies.txt -c cookies.txt -u john:007 \
"<a href="http://localhost:8080/aerogear-controller-demo/autobots">http://localhost:8080/aerogear-controller-demo/autobots</a>" -v
</code></pre><p style="margin:15px 0px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">Unfortunatley, this works as well, since the session is reused, due to the cookies... So, when the session is stored on the client, it is possible to switch the credentials "on the fly".</p>
<h2 style="margin:1em 0px 15px;padding:0px;font-size:2em;border-bottom-width:1px;border-bottom-style:solid;border-bottom-color:rgb(238,238,238);color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif"><a name="question--comments" class="" href="https://gist.github.com/matzew/6111c42ff5d73f18097e#question--comments" style="color:rgb(65,131,196);text-decoration:none;display:block;padding-left:30px"><span class=""></span></a>Question / Comments</h2>
<ul style="margin-top:15px;margin-right:0px;margin-left:0px;padding:0px 0px 0px 30px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px;margin-bottom:0px!important">
<li><p style="margin:15px 0px">Not really sure, but for Basic/Digest should the server really send <code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px 2px;padding:0px 5px;border:1px solid rgb(221,221,221);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;white-space:nowrap">Set-Cookie:</code> response header back to the client ?</p>
</li><li><p style="margin:15px 0px">Not sure this is something on the controller, AG-Security or even PicketLink, but perhaps the<code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px 2px;padding:0px 5px;border:1px solid rgb(221,221,221);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;white-space:nowrap">Set-Cookie:</code> could be removed, when sending the response for Basic/Digest</p>
</li></ul><div><span style="color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15px;line-height:22.71875px">Ant thoughts on this ?</span><br></div><div><br></div>-- <br>Matthias Wessendorf <br>
<br>blog: <a href="http://matthiaswessendorf.wordpress.com/" target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>sessions: <a href="http://www.slideshare.net/mwessendorf" target="_blank">http://www.slideshare.net/mwessendorf</a><br>
twitter: <a href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a>
</div>