<style>
/* Changing the layout to use less space for mobiles */
@media screen and (max-device-width: 480px), screen and (-webkit-min-device-pixel-ratio: 2) {
#email-body { min-width: 30em !important; }
#email-page { padding: 8px !important; }
#email-banner { padding: 8px 8px 0 8px !important; }
#email-avatar { margin: 1px 8px 8px 0 !important; padding: 0 !important; }
#email-fields { padding: 0 8px 8px 8px !important; }
#email-gutter { width: 0 !important; }
}
</style>
<div id="email-body">
<table id="email-wrap" align="center" border="0" cellpadding="0" cellspacing="0" style="background-color:#f0f0f0;color:#000000;width:100%;">
<tr valign="top">
<td id="email-page" style="padding:16px !important;">
<table align="center" border="0" cellpadding="0" cellspacing="0" style="background-color:#ffffff;border:1px solid #bbbbbb;color:#000000;width:100%;">
<tr valign="top">
<td bgcolor="#3b4d64" style="background-color:#3b4d64;color:#ffffff;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;line-height:1;"><img src="https://issues.jboss.org/s/en_USdrryc7-418945332/852/58/_/jira-logo-scaled.png" alt="" style="vertical-align:top;" /></td>
</tr><tr valign="top">
<td id="email-banner" style="padding:32px 32px 0 32px;">
<table align="left" border="0" cellpadding="0" cellspacing="0" width="100%" style="width:100%;">
<tr valign="top">
<td style="color:#505050;font-family:Arial,FreeSans,Helvetica,sans-serif;padding:0;">
<img id="email-avatar" src="https://community.jboss.org/people/mwessendorf/avatar/16.png" alt="" height="48" width="48" border="0" align="left" style="padding:0;margin: 0 16px 16px 0;" />
<div id="email-action" style="padding: 0 0 8px 0;font-size:12px;line-height:18px;">
<a class="user-hover" rel="mwessendorf" id="email_mwessendorf" href="https://issues.jboss.org/secure/ViewProfile.jspa?name=mwessendorf" style="color:#326ca6;">Matthias Wessendorf</a>
created <img src="https://issues.jboss.org/images/icons/issuetypes/newfeature.png" height="16" width="16" border="0" align="absmiddle" alt="Feature Request"> <a style='color:#326ca6;text-decoration:none;' href='https://issues.jboss.org/browse/AEROGEAR-1109'>AEROGEAR-1109</a>
</div>
<div id="email-summary" style="font-size:16px;line-height:20px;padding:2px 0 16px 0;">
<a style='color:#326ca6;text-decoration:none;' href='https://issues.jboss.org/browse/AEROGEAR-1109'><strong>TODO: can use wrong Auth-Token</strong></a>
</div>
</td>
</tr>
</table>
</td>
</tr>
<tr valign="top">
<td id="email-fields" style="padding:0 32px 32px 32px;">
<table border="0" cellpadding="0" cellspacing="0" style="padding:0;text-align:left;width:100%;" width="100%">
<tr valign="top">
<td id="email-gutter" style="width:64px;white-space:nowrap;"></td>
<td>
<table border="0" cellpadding="0" cellspacing="0" width="100%">
<tr valign="top">
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 10px 10px 0;white-space:nowrap;">
<strong style="font-weight:normal;color:#505050;">Issue Type:</strong>
</td>
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 0 10px 0;width:100%;">
<img src="https://issues.jboss.org/images/icons/issuetypes/newfeature.png" height="16" width="16" border="0" align="absmiddle" alt="Feature Request"> Feature Request
</td>
</tr> <tr valign="top">
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 10px 10px 0;white-space:nowrap;">
<strong style="font-weight:normal;color:#505050;">Affects Versions:</strong>
</td>
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 0 10px 0;width:100%;">
1.0.0 </td>
</tr>
<tr valign="top">
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 10px 10px 0;white-space:nowrap;">
<strong style="font-weight:normal;color:#505050;">Assignee:</strong>
</td>
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 0 10px 0;width:100%;">
Unassigned </td>
</tr> <tr valign="top">
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 10px 10px 0;white-space:nowrap;">
<strong style="font-weight:normal;color:#505050;">Components:</strong>
</td>
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 0 10px 0;width:100%;">
examples </td>
</tr>
<tr valign="top">
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 10px 10px 0;white-space:nowrap;">
<strong style="font-weight:normal;color:#505050;">Created:</strong>
</td>
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 0 10px 0;width:100%;">
12/Apr/13 11:15 AM
</td>
</tr> <tr valign="top">
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 10px 10px 0;white-space:nowrap;">
<strong style="font-weight:normal;color:#505050;">Description:</strong>
</td>
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 0 10px 0;width:100%;">
<p style='margin-top:0;margin-bottom:10px;'>When using CURL, I am able to by pass the Auth-Token (with cookies);</p>
<p style='margin-top:0;margin-bottom:10px;'>Doing a login:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
curl -3 -v --cookie-jar newcookies.txt -H <span class="code-quote">"Accept: application/json"</span> -H <span class="code-quote">"Content-type: application/json"</span> -X POST https:<span class="code-comment">//todo-aerogear.rhcloud.com/todo-server/auth/login -d '{<span class="code-quote">"username"</span>:<span class="code-quote">"john"</span>,<span class="code-quote">"password"</span>:<span class="code-quote">"123"</span>}'</span>
</pre>
</div></div>
<p style='margin-top:0;margin-bottom:10px;'>Getting a response, with the new Auth-Token:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
< HTTP/1.1 200 OK
< Date: Fri, 12 Apr 2013 15:09:53 GMT
< Server: Apache-Coyote/1.1
< Auth-Token: 6f5b8b84-f872-428d-8ee0-a516610d30e4
< Content-Type: application/json;charset=UTF-8
< Content-Length: 46
* Added cookie JSESSIONID=<span class="code-quote">"AWxvYeSr0nin0AE+XdotWsQd"</span> <span class="code-keyword">for</span> domain todo-aerogear.rhcloud.com, path /todo-server, expire 0
< Set-Cookie: JSESSIONID=AWxvYeSr0nin0AE+XdotWsQd; Path=/todo-server
< Vary: Accept-Encoding
<
* Connection #0 to host todo-aerogear.rhcloud.com left intact
{<span class="code-quote">"username"</span>:<span class="code-quote">"john"</span>,<span class="code-quote">"roles"</span>:[<span class="code-quote">"admin"</span>,<span class="code-quote">"simple"</span>]}* Closing connection #0
</pre>
</div></div>
<p style='margin-top:0;margin-bottom:10px;'>Now, accessing a proctected resource, using the cookies but an invalid Auth-Token:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
curl -3 -v --cookie newcookies.txt -H <span class="code-quote">"Accept: application/json"</span> -H <span class="code-quote">"Content-type: application/json"</span> --header <span class="code-quote">"Auth-Token: I_AM_WRONG"</span> -X GET https:<span class="code-comment">//todo-aerogear.rhcloud.com/todo-server/tags</span>
</pre>
</div></div>
<p style='margin-top:0;margin-bottom:10px;'>I am getting a 200 response of the endpoint:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
> GET /todo-server/tags HTTP/1.1
> User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5
> Host: todo-aerogear.rhcloud.com
> Cookie: JSESSIONID=AWxvYeSr0nin0AE+XdotWsQd
> Accept: application/json
> Content-type: application/json
> Auth-Token: I_AM_WRONG
>
< HTTP/1.1 200 OK
< Date: Fri, 12 Apr 2013 15:10:03 GMT
< Server: Apache-Coyote/1.1
< Content-Type: application/json;charset=UTF-8
< Vary: Accept-Encoding
< Transfer-Encoding: chunked
<
* Connection #0 to host todo-aerogear.rhcloud.com left intact
[{<span class="code-quote">"id"</span>:1,<span class="code-quote">"title"</span>:<span class="code-quote">"asdf"</span>,<span class="code-quote">"style"</span>:<span class="code-quote">"tag-79-33-196"</span>,<span class="code-quote">"tasks"</span>:[1]},{<span class="code-quote">"id"</span>:2,<span class="code-quote">"title"</span>:<span class="code-quote">"dadasdasdas"</span>,<span class="code-quote">"style"</span>:<span class="code-quote">"tag-255-255-255"</span>,<span class="code-quote">"tasks"</span>:[]}]* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
</pre>
</div></div>
</td>
</tr>
<tr valign="top">
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 10px 10px 0;white-space:nowrap;">
<strong style="font-weight:normal;color:#505050;">Fix Versions:</strong>
</td>
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 0 10px 0;width:100%;">
1.1.0 </td>
</tr>
<tr valign="top">
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 10px 10px 0;white-space:nowrap;">
<strong style="font-weight:normal;color:#505050;">Project:</strong>
</td>
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 0 10px 0;width:100%;">
<a style="color:#326ca6;" href="https://issues.jboss.org/browse/AEROGEAR">AeroGear</a>
</td>
</tr> <tr valign="top">
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 10px 10px 0;white-space:nowrap;">
<strong style="font-weight:normal;color:#505050;">Priority:</strong>
</td>
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 0 10px 0;width:100%;">
<img src="https://issues.jboss.org/images/icons/priorities/major.png" height="16" width="16" border="0" align="absmiddle" alt="Major"> Major
</td>
</tr>
<tr valign="top">
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 10px 10px 0;white-space:nowrap;">
<strong style="font-weight:normal;color:#505050;">Reporter:</strong>
</td>
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 0 10px 0;width:100%;">
<a class="user-hover" rel="mwessendorf" id="email_mwessendorf" href="https://issues.jboss.org/secure/ViewProfile.jspa?name=mwessendorf" style="color:#326ca6;">Matthias Wessendorf</a>
</td>
</tr> <tr valign="top">
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 10px 10px 0;white-space:nowrap;">
<strong style="font-weight:normal;color:#505050;">Security Level:</strong>
</td>
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 0 10px 0;width:100%;">
Public (Everyone can see) </td>
</tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
</td><!-- End #email-page -->
</tr>
<tr valign="top">
<td style="color:#505050;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:10px;line-height:14px;padding: 0 16px 16px 16px;text-align:center;">
This message is automatically generated by JIRA.<br />
If you think it was sent incorrectly, please contact your JIRA administrators<br />
For more information on JIRA, see: <a style='color:#326ca6;' href='http://www.atlassian.com/software/jira'>http://www.atlassian.com/software/jira</a>
</td>
</tr>
</table><!-- End #email-wrap -->
</div><!-- End #email-body -->