[aerogear-dev] Basic/Digest issue with the Controller or AG Security?

Bruno Oliveira bruno at abstractj.org
Thu Jun 20 12:31:19 EDT 2013


https://issues.jboss.org/browse/AGSEC-73 created.

Summers Pittman wrote:
> On 06/20/2013 08:28 AM, Kris Borchers wrote:
>> I can agree that sending incorrect credentials should not work. You
>> shouldn't be sending credentials again if you have a valid cookie but
>> if you do and they are wrong, I agree that you should not be
>> authenticated. The question then is, should the cookie be invalidated
>> or if I try again with the cookie but without credentials, should it
>> work. I would probably lean toward invalidating the cookie and forcing
>> the auth process to start over, I think.
> That makes the most sense. HTTP Basic doesn't require a cookie so
> whatever we do here is rather arbitrary...
>>
>> On Jun 20, 2013, at 7:15 AM, Matthias Wessendorf <matzew at apache.org
>> <mailto:matzew at apache.org>> wrote:
>>
>>> I have tried an internal service, tried the similar like about (with
>>> basic/curl)
>>>
>>> curl -k --basic -b cookies.txt -c cookies.txt -u goodUser:goodPasswd
>>> "https://something.redhat.com <https://something.redhat.com/>" -v
>>>
>>> ==> I get the protected page
>>>
>>>
>>> curl -k --basic -b cookies.txt -c cookies.txt -u badUser:badPasswd
>>> "https://something.redhat.com <https://something.redhat.com/>" -v
>>>
>>> ==> I am NOT getting the protected page :)
>>>
>>>
>>> Not sure, but I do like the fact that the second curl is not
>>> successful :-)
>>>
>>>
>>>
>>>
>>>
>>> On Thu, Jun 20, 2013 at 2:04 PM, Kris Borchers <kris at redhat.com
>>> <mailto:kris at redhat.com>> wrote:
>>>
>>>     Isn't this how Basic auth works? Once you log in you get a cookie
>>>     and you don't have to authenticate anymore until that cooke
>>>     expires (usually at the end of a session). This is my experience
>>>     in browsers at least and is how I would expect it to work. If I
>>>     have a valid cookie, I should not have to log in again.
>>>
>>>     On Jun 20, 2013, at 6:59 AM, Matthias Wessendorf
>>>     <matzew at apache.org <mailto:matzew at apache.org>> wrote:
>>>
>>>>     Hi,
>>>>
>>>>     when looking into HTTP Basic/Digest for iOS, Christos noticed a
>>>>     problem with that, on the Controller demo (using AG-Security).
>>>>
>>>>     I have checked his issues and they are "visible" in cURL
>>>>     "environment" as well.
>>>>
>>>>     Steps to reproduce
>>>>
>>>>       * Clone the AG-Controller demo
>>>>         <https://github.com/aerogear/aerogear-controller-demo>
>>>>       * Update the |web.xml| to use the BASIC Filter (here
>>>>         <https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main/webapp/WEB-INF/web.xml#L34-L41>
>>>>         and here
>>>>         <https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main/webapp/WEB-INF/web.xml#L78-L82>).
>>>>       * Make /*SURE*/ that the Digiest section is commented out :-)
>>>>       * Deploy the |WAR| to your JBoss Application Server
>>>>
>>>>     Now some tests with BASIC (and the default user |john:123|):
>>>>
>>>>     |curl -u "john:123" "http://localhost:8080/aerogear-controller-demo/autobots" -v
>>>>     |
>>>>
>>>>     This works, as expected!
>>>>
>>>>     |curl -u "john:007" "http://localhost:8080/aerogear-controller-demo/autobots" -v
>>>>     |
>>>>
>>>>     This does /*NOT*/ work, as expected!
>>>>
>>>>
>>>>           <https://gist.github.com/matzew/6111c42ff5d73f18097e#cookies->Cookies
>>>>           ?
>>>>
>>>>     Christos and I noticed the server does return the |Set-Cookie:|
>>>>     response header, so the cookie can/will be stored on the client.
>>>>
>>>>     Now let's do this:
>>>>
>>>>     |curl --basic -b cookies.txt -c cookies.txt -u john:123 \
>>>>     "http://localhost:8080/aerogear-controller-demo/autobots" -v
>>>>     |
>>>>
>>>>     Perfect, works as well
>>>>
>>>>     But now, let's do this:
>>>>
>>>>     |curl --basic -b cookies.txt -c cookies.txt -u john:007 \
>>>>     "http://localhost:8080/aerogear-controller-demo/autobots" -v
>>>>     |
>>>>
>>>>     Unfortunatley, this works as well, since the session is reused,
>>>>     due to the cookies... So, when the session is stored on the
>>>>     client, it is possible to switch the credentials "on the fly".
>>>>
>>>>
>>>>         <https://gist.github.com/matzew/6111c42ff5d73f18097e#question--comments>Question
>>>>         / Comments
>>>>
>>>>      *
>>>>
>>>>         Not really sure, but for Basic/Digest should the server
>>>>         really send |Set-Cookie:| response header back to the client ?
>>>>
>>>>      *
>>>>
>>>>         Not sure this is something on the controller, AG-Security or
>>>>         even PicketLink, but perhaps the|Set-Cookie:| could be
>>>>         removed, when sending the response for Basic/Digest
>>>>
>>>>     Ant thoughts on this ?
>>>>
>>>>     --
>>>>     Matthias Wessendorf
>>>>
>>>>     blog: http://matthiaswessendorf.wordpress.com/
>>>>     sessions: http://www.slideshare.net/mwessendorf
>>>>     twitter: http://twitter.com/mwessendorf
>>>>     _______________________________________________
>>>>     aerogear-dev mailing list
>>>>     aerogear-dev at lists.jboss.org <mailto:aerogear-dev at lists.jboss.org>
>>>>     https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>>
>>>
>>>     _______________________________________________
>>>     aerogear-dev mailing list
>>>     aerogear-dev at lists.jboss.org <mailto:aerogear-dev at lists.jboss.org>
>>>     https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>>
>>>
>>>
>>>
>>> --
>>> Matthias Wessendorf
>>>
>>> blog: http://matthiaswessendorf.wordpress.com/
>>> sessions: http://www.slideshare.net/mwessendorf
>>> twitter: http://twitter.com/mwessendorf
>>> _______________________________________________
>>> aerogear-dev mailing list
>>> aerogear-dev at lists.jboss.org <mailto:aerogear-dev at lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>
>>
>>
>> _______________________________________________
>> aerogear-dev mailing list
>> aerogear-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev

-- 
abstractj



More information about the aerogear-dev mailing list