9:44 a.m.
Hi,
I am wondering if a flag can be set in ChallengeResult such that
undertow does not try to set the response code on the httpserverexchange
before sending the challenge?
The reason is that an authentication mechanism may have already utilized
the httpservletresponse object to set a response code such as:
===========
response.setStatus(HttpServletResponse.SC_MOVED_TEMPORARILY);
response.sendRedirect(destination);
==============
Now since undertow tries to set a response code on the
httpServerExchange, there is an error.
Regards,
Anil
10:01 a.m.
This may come under the same area as the single challenge I just replied
to Bill about.
For mechanisms that may behave in this way can we detect that they would
want exclusivity from within the authenticate method?
On 16/12/13 15:44, Anil Saldhana wrote:
Hi,
I am wondering if a flag can be set in ChallengeResult such that
undertow does not try to set the response code on the httpserverexchange
before sending the challenge?
The reason is that an authentication mechanism may have already utilized
the httpservletresponse object to set a response code such as:
===========
response.setStatus(HttpServletResponse.SC_MOVED_TEMPORARILY);
response.sendRedirect(destination);
==============
Now since undertow tries to set a response code on the
httpServerExchange, there is an error.
Regards,
Anil
_______________________________________________
undertow-dev mailing list
undertow-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/undertow-dev
10:24 a.m.
FYI: For my case at least, I can co-exist with other Auth mechanisms, I
just need to be able to abort the sendChallenge loop and make sure I can
have my auth mechanism first in the sendChallenge loop (pretty sure that
one is already there).
On 12/16/2013 11:01 AM, Darran Lofthouse wrote:
This may come under the same area as the single challenge I just
replied
to Bill about.
For mechanisms that may behave in this way can we detect that they would
want exclusivity from within the authenticate method?
On 16/12/13 15:44, Anil Saldhana wrote:
> Hi,
> I am wondering if a flag can be set in ChallengeResult such that
> undertow does not try to set the response code on the httpserverexchange
> before sending the challenge?
>
> The reason is that an authentication mechanism may have already utilized
> the httpservletresponse object to set a response code such as:
>
> ===========
> response.setStatus(HttpServletResponse.SC_MOVED_TEMPORARILY);
> response.sendRedirect(destination);
> ==============
>
> Now since undertow tries to set a response code on the
> httpServerExchange, there is an error.
>
> Regards,
> Anil
> _______________________________________________
> undertow-dev mailing list
> undertow-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/undertow-dev
>
_______________________________________________
undertow-dev mailing list
undertow-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/undertow-dev
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
11:13 a.m.
Coming back to this topic ;-)
The reasons I believe it is the authenticate method that should signal a
mechanism wants exclusivity in sending a challenge are: -
1 - This method already returns one of three values to indicate it's
authentication state, adding one more value to indicate that a mechanism
has started authentication but wants exclusivity would fit with this.
2 - The mechanism doesn't need to be first just to be able to request
exclusivity - also not going to cause a complication if another
mechanism had added it's challenge as that would not be able to happen.
3 - In general we should try and avoid writing mechanism that only work
alone (depending on various constraints), having a sendChallenge that
always requested exclusivity would go against this - whereas a mechanism
detecting it wants exclusivity in the authenticate stage would be valid
as remaining mechanisms would still be usable for the times it does not
request exclusivity.
Regards,
Darran Lofthouse.
On 16/12/13 16:24, Bill Burke wrote:
FYI: For my case at least, I can co-exist with other Auth mechanisms,
I
just need to be able to abort the sendChallenge loop and make sure I can
have my auth mechanism first in the sendChallenge loop (pretty sure that
one is already there).
On 12/16/2013 11:01 AM, Darran Lofthouse wrote:
> This may come under the same area as the single challenge I just replied
> to Bill about.
>
> For mechanisms that may behave in this way can we detect that they would
> want exclusivity from within the authenticate method?
>
> On 16/12/13 15:44, Anil Saldhana wrote:
>> Hi,
>> I am wondering if a flag can be set in ChallengeResult such that
>> undertow does not try to set the response code on the httpserverexchange
>> before sending the challenge?
>>
>> The reason is that an authentication mechanism may have already utilized
>> the httpservletresponse object to set a response code such as:
>>
>> ===========
>> response.setStatus(HttpServletResponse.SC_MOVED_TEMPORARILY);
>> response.sendRedirect(destination);
>> ==============
>>
>> Now since undertow tries to set a response code on the
>> httpServerExchange, there is an error.
>>
>> Regards,
>> Anil
>> _______________________________________________
>> undertow-dev mailing list
>> undertow-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/undertow-dev
>>
> _______________________________________________
> undertow-dev mailing list
> undertow-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/undertow-dev
>
6:12 p.m.
On 12/19/2013 12:13 PM, Darran Lofthouse wrote:
Coming back to this topic ;-)
The reasons I believe it is the authenticate method that should signal a
mechanism wants exclusivity in sending a challenge are: -
1 - This method already returns one of three values to indicate it's
authentication state, adding one more value to indicate that a mechanism
has started authentication but wants exclusivity would fit with this.
2 - The mechanism doesn't need to be first just to be able to request
exclusivity - also not going to cause a complication if another
mechanism had added it's challenge as that would not be able to happen.
3 - In general we should try and avoid writing mechanism that only work
alone (depending on various constraints), having a sendChallenge that
always requested exclusivity would go against this - whereas a mechanism
detecting it wants exclusivity in the authenticate stage would be valid
as remaining mechanisms would still be usable for the times it does not
request exclusivity.
#3 just doesn't work for me.
I have two mechanisms for keycloak:
A) Bearer token mechanism that uses the Authorization header and
challenges with a 401 and WWW-Authenticate
B) OAuth browser redirection mechanism, that challenges with a 302 and a
Location header. This is a redirect to the authentication server where
it will display a login form.
Mechanism (B) will not ever request exclusivity during the authenticate
phase because keycloak also allows for (A) in the same deployment.
Mechanism (B) will not ever be able to challenge if it can't set a 302
response code. I worry that if other mechanisms add WWW-Authenticate
headers to a 302 response, it may confuse the user-agent, but this worry
might be bogus.
So, I don't agree with #3's statement that "having sendChallenge that
always requested exclusivity would go against this". Mechanism (B)
works with a other mechanisms as long as the user-agent is doing
preemptive authentication.
Whether Keycloak is successful or not is besides the point. The use
case where an auth mechanism needs to redirect to another machine to
display a login form is a valid one.
Bill
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
4:44 a.m.
Thanks for the clarification Bill.
So in your case we know in advance that there is a single mechanism
which should be the only mechanism sending challenges and at least one
more mechanism that can perform the authentication without the need to
send challenges.
I am just wondering for this scenario if we can handle this better
during registration of the mechanisms rather than at runtime processing
a request.
Regards,
Darran Lofthouse.
On 20/12/13 00:12, Bill Burke wrote:
On 12/19/2013 12:13 PM, Darran Lofthouse wrote:
> Coming back to this topic ;-)
>
> The reasons I believe it is the authenticate method that should signal a
> mechanism wants exclusivity in sending a challenge are: -
>
> 1 - This method already returns one of three values to indicate it's
> authentication state, adding one more value to indicate that a mechanism
> has started authentication but wants exclusivity would fit with this.
>
> 2 - The mechanism doesn't need to be first just to be able to request
> exclusivity - also not going to cause a complication if another
> mechanism had added it's challenge as that would not be able to happen.
>
> 3 - In general we should try and avoid writing mechanism that only work
> alone (depending on various constraints), having a sendChallenge that
> always requested exclusivity would go against this - whereas a mechanism
> detecting it wants exclusivity in the authenticate stage would be valid
> as remaining mechanisms would still be usable for the times it does not
> request exclusivity.
>
#3 just doesn't work for me.
I have two mechanisms for keycloak:
A) Bearer token mechanism that uses the Authorization header and
challenges with a 401 and WWW-Authenticate
B) OAuth browser redirection mechanism, that challenges with a 302 and a
Location header. This is a redirect to the authentication server where
it will display a login form.
Mechanism (B) will not ever request exclusivity during the authenticate
phase because keycloak also allows for (A) in the same deployment.
Mechanism (B) will not ever be able to challenge if it can't set a 302
response code. I worry that if other mechanisms add WWW-Authenticate
headers to a 302 response, it may confuse the user-agent, but this worry
might be bogus.
So, I don't agree with #3's statement that "having sendChallenge that
always requested exclusivity would go against this". Mechanism (B)
works with a other mechanisms as long as the user-agent is doing
preemptive authentication.
Whether Keycloak is successful or not is besides the point. The use
case where an auth mechanism needs to redirect to another machine to
display a login form is a valid one.
Bill
8:34 a.m.
On 12/20/2013 5:44 AM, Darran Lofthouse wrote:
Thanks for the clarification Bill.
So in your case we know in advance that there is a single mechanism
which should be the only mechanism sending challenges and at least one
more mechanism that can perform the authentication without the need to
send challenges.
I am just wondering for this scenario if we can handle this better
during registration of the mechanisms rather than at runtime processing
a request.
If an OAUTH or OpenID mechanism could be guarenteed to be last to
authenticate(), then these mechanisms could pass back a
NOT_AUTHENTICATED instead of a NOT_ATTEMPTED and perform the redirect
within authenticate()...
OR
If OATH/OpenID could be guaranteed to be first to sendChallenge, then it
could end the exchange as Stuart suggested.
Another thing that might work is if the exchange could be "rolled back".
Then the OAUTH/OpenID could rollback any changes made in other
sendChallenge() requests and end() the exchange. Order wouldn't matter
then.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
7:34 a.m.
>
> 3 - In general we should try and avoid writing mechanism that only work
> alone (depending on various constraints), having a sendChallenge that
> always requested exclusivity would go against this - whereas a mechanism
> detecting it wants exclusivity in the authenticate stage would be valid
> as remaining mechanisms would still be usable for the times it does not
> request exclusivity.
>
#3 just doesn't work for me.
I have two mechanisms for keycloak:
A) Bearer token mechanism that uses the Authorization header and
challenges with a 401 and WWW-Authenticate
B) OAuth browser redirection mechanism, that challenges with a 302 and a
Location header. This is a redirect to the authentication server where
it will display a login form.
Mechanism (B) will not ever request exclusivity during the authenticate
phase because keycloak also allows for (A) in the same deployment.
Mechanism (B) will not ever be able to challenge if it can't set a 302
response code. I worry that if other mechanisms add WWW-Authenticate
headers to a 302 response, it may confuse the user-agent, but this worry
might be bogus.
So, I don't agree with #3's statement that "having sendChallenge that
always requested exclusivity would go against this". Mechanism (B)
works with a other mechanisms as long as the user-agent is doing
preemptive authentication.
Whether Keycloak is successful or not is besides the point. The use
case where an auth mechanism needs to redirect to another machine to
display a login form is a valid one.
So basically you want a way to end the process from the sendChallenge() method?
If so you can basically already doing this by just invoking the
HttpServerExchange.endEchange() method
This is not handled super well at the moment though, as the other mechanisms will still be
tried, they just cant do anything as the response has been committed. We should do
something about this.
Stuart
Bill
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
undertow-dev mailing list
undertow-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/undertow-dev
3991
days inactive
3995
days old
7 comments
4 participants
participants (4)
-
Anil Saldhana -
Bill Burke -
Darran Lofthouse -
Stuart Douglas