_______________________________________________Hi,
when looking into HTTP Basic/Digest for iOS, Christos noticed a problem with that, on the Controller demo (using AG-Security).
I have checked his issues and they are "visible" in cURL "environment" as well.
Steps to reproduce
- Clone the AG-Controller demo
- Update the
web.xmlto use the BASIC Filter (here and here).- Make SURE that the Digiest section is commented out :-)
- Deploy the
WARto your JBoss Application ServerNow some tests with BASIC (and the default user
john:123):curl -u "john:123" "http://localhost:8080/aerogear-controller-demo/autobots" -vThis works, as expected!
curl -u "john:007" "http://localhost:8080/aerogear-controller-demo/autobots" -vThis does NOT work, as expected!
Cookies ?
Christos and I noticed the server does return the
Set-Cookie:response header, so the cookie can/will be stored on the client.Now let's do this:
curl --basic -b cookies.txt -c cookies.txt -u john:123 \ "http://localhost:8080/aerogear-controller-demo/autobots" -vPerfect, works as well
But now, let's do this:
curl --basic -b cookies.txt -c cookies.txt -u john:007 \ "http://localhost:8080/aerogear-controller-demo/autobots" -vUnfortunatley, this works as well, since the session is reused, due to the cookies... So, when the session is stored on the client, it is possible to switch the credentials "on the fly".
Question / Comments
Not really sure, but for Basic/Digest should the server really send
Set-Cookie:response header back to the client ?Not sure this is something on the controller, AG-Security or even PicketLink, but perhaps the
Set-Cookie:could be removed, when sending the response for Basic/DigestAnt thoughts on this ?--
Matthias Wessendorf
blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf
aerogear-dev mailing list
aerogear-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev