[aerogear-dev] Basic/Digest issue with the Controller or AG Security?

Matthias Wessendorf matzew at apache.org
Thu Jun 20 07:59:00 EDT 2013


Hi,

when looking into HTTP Basic/Digest for iOS, Christos noticed a problem
with that, on the Controller demo (using AG-Security).

I have checked his issues and they are "visible" in cURL "environment" as
well.

Steps to reproduce

   - Clone the AG-Controller
demo<https://github.com/aerogear/aerogear-controller-demo>
   - Update the web.xml to use the BASIC Filter
(here<https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main/webapp/WEB-INF/web.xml#L34-L41>
    and here<https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main/webapp/WEB-INF/web.xml#L78-L82>
   ).
   - Make *SURE* that the Digiest section is commented out :-)
   - Deploy the WAR to your JBoss Application Server

Now some tests with BASIC (and the default user john:123):

curl -u "john:123" "http://localhost:8080/aerogear-controller-demo/autobots" -v

This works, as expected!

curl -u "john:007" "http://localhost:8080/aerogear-controller-demo/autobots" -v

This does *NOT* work, as expected!
<https://gist.github.com/matzew/6111c42ff5d73f18097e#cookies->Cookies ?

Christos and I noticed the server does return the Set-Cookie: response
header, so the cookie can/will be stored on the client.

Now let's do this:

curl --basic -b cookies.txt -c cookies.txt -u john:123 \
"http://localhost:8080/aerogear-controller-demo/autobots" -v

Perfect, works as well

But now, let's do this:

curl --basic -b cookies.txt -c cookies.txt -u john:007 \
"http://localhost:8080/aerogear-controller-demo/autobots" -v

Unfortunatley, this works as well, since the session is reused, due to the
cookies... So, when the session is stored on the client, it is possible to
switch the credentials "on the fly".
<https://gist.github.com/matzew/6111c42ff5d73f18097e#question--comments>Question
/ Comments

   -

   Not really sure, but for Basic/Digest should the server really send
   Set-Cookie: response header back to the client ?
   -

   Not sure this is something on the controller, AG-Security or even
   PicketLink, but perhaps theSet-Cookie: could be removed, when sending
   the response for Basic/Digest

Ant thoughts on this ?

-- 
Matthias Wessendorf

blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20130620/ed5115c2/attachment.html 


More information about the aerogear-dev mailing list