Issue Details (XML | Word | Printable)

Key: GALAXY-161
Type: Bug Bug
Status: Open Open
Priority: Minor Minor
Assignee: Dan Diephouse
Reporter: Todd Wells
Votes: 1
Watchers: 1
Operations

If you were logged in you would be able to see more operations.
Galaxy

Attempting feed access without credentials returns HTTP 302 instead of HTTP 401

Created: 25/Mar/08 03:12 PM   Updated: 02/Apr/10 01:32 PM
Component/s: Core
Affects Version/s: 1.0-beta-2
Fix Version/s: 1.x Backlog

Time Tracking:
Not Specified

Issue Links:
Related
 

Labels:
User impact: Medium
Similar Issues:


 Description  « Hide
If you hit a feed URL, e.g. http://localhost:9090/api/registry/Default%20Workspace/myArtifact;history, and do not provide credentials, an HTTP 302 (meaning "requested resource resides temporarily under a different URI") is returned and it redirects you to login.jsp. The correct behavior when hitting a feed URL without credentials should be to return a 404 unauthorized, prompting clients to authenticate. A re-direct would be fine for a non-feed URL (e.g. a web console URL).

I discovered this when using apache HttpClient to authenticate against the service – by default HttpClient does not preemptively pass auth credentials (it will pass them if it gets a 404), so the client kept getting redirected to login.jsp. I finally resolved the issue by forcing HttpClient to pre-emptively authenticate.

 All   Comments   Work Log   Change History   Transitions   FishEye      Sort Order: Ascending order - Click to sort in descending order
[ Permlink | « Hide ]
Todd Wells added a comment - 25/Mar/08 03:13 PM
Oops, meant "if it gets a 401" in the second paragraph.

[ Permlink | « Hide ]
Dan Diephouse added a comment - 25/Mar/08 10:13 PM
I'll see if I can fix this for the next release. Its Acegi weirdness that I need to resolve.

[ Permlink | « Hide ]
Andrew Perepelytsya added a comment - 14/May/08 10:13 AM
Implementation note: making it return 401 instead of 302 would be semantically correct, but could break the re-login prompt (see GALAXY-245). Different servers may present 401 error differently, not sure if we can get a cross-server behavior consistently. Then, there's a limitation in current 1.4.x GWT, whereas onFailure() handler does not carry any context info (response). This is improved in GWT 1.5 (response code is available), see http://groups.google.com/group/Google-Web-Toolkit-Contributors/browse_thread/thread/bfe37326ce752550

So, I'd say don't touch this issue until we upgrade GWT.


[ Permlink | « Hide ]
Brian Kalbfus added a comment - 02/Apr/10 01:30 PM
I believe this affects Mule 2.x integration as well when run from netboot. The url http://admin:admin@localhost:8080?q=select artifact where mule2.service='GreeterUMO' seems to be returning the login screen instead of authenticating to get the mule-config.xml. This results in spring complaining that it can't find a declaration for the <html> xml element. See http://forums.mulesoft.org/click.jspa?searchID=17417&messageID=7888

The tests I did was loading the http://admin:admin@localhost:8080 from :

  • Internet Explorer: says page doesn't exist
  • Firefox: tells me that you're sending authentication credentials to a site that is not asking for it, and then brings up login page
  • wget: returns html for the login page.

[ Permlink | « Hide ]
Brian Kalbfus added a comment - 02/Apr/10 01:32 PM
Correction: IE behaves like Firefox.


Powered by a free Atlassian JIRA open source license for MuleForge. Try JIRA - bug tracking software for your team.
Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.13.1-#333) - Bug/feature request - Atlassian news - Contact Administrators