Re: How to set up a servlet to return HTTP error status instead of redirecting to the login form?
On Tue, Feb 28, 2017 at 10:17 PM, John Loganwrote: > ...The SlingAuthenticator.doLogin() method first > calls AuthUtil.isBrowserRequest(), and if the return value is true, then > calls AuthUtil.isAjaxRequest(). This method returns true if the following > header is present: > > X-Requested-With: XMLHttpRequest ... Ah ok, great! I had forgotten about this feature, thanks for sharing your solution. -Bertrand
Re: How to set up a servlet to return HTTP error status instead of redirecting to the login form?
On Tuesday, February 28, 2017 11:50 AM, John Loganwrote: > On Tuesday, February 28, 2017 6:33 AM, Bertrand Delacretaz > wrote: [snip] > > AFAIK it's the AuthUtil.isBrowserRequest method [1] that makes this > > decision. [snip] > > I suppose that a minimally invasive approach would be to modify the > isBrowserRequest() method to detect a custom header that has priority > over the user agent test. Adding a header to an AJAX request would be > much cleaner than modifying the User-Agent header in the browser > navigator object. Is that something that would be best discussed in > a JIRA request rather than here? I looked at the SlingAuthenticator class, which is what invokes isBrowserRequest(), and found my answer. The SlingAuthenticator.doLogin() method first calls AuthUtil.isBrowserRequest(), and if the return value is true, then calls AuthUtil.isAjaxRequest(). This method returns true if the following header is present: X-Requested-With: XMLHttpRequest When I perform a curl with a stale cookie and the above header, I get a 403 FORBIDDEN instead of a redirect. This gets me what I need. One finer point is that I would have expected a 401 UNAUTHORIZED in this case (which is what the form-based authenticator gives with j_validate=true). Thanks again for your help! John
Re: How to set up a servlet to return HTTP error status instead of redirecting to the login form?
Hi Bertrand, Thanks for your response! I appreciate your help. On Tuesday, February 28, 2017 6:33 AM, Bertrand Delacretazwrote: > Hi John, > > On Mon, Feb 27, 2017 at 10:11 PM, John Logan wrote: > > ...I receive 302 if the curl request includes the user agent, and > > 401 otherwise > > AFAIK it's the AuthUtil.isBrowserRequest method [1] that makes this decision. > Agreed, I came across that code while investigating this. > > I don't think this helps for browser AJAX requests, though... > > You might be able to tweak your request to work around this, based on > that source code? > > Or maybe catch the 302 response and implement the behavior that you need. > Neither modifying the User-Agent header nor trying to identify a redirect is really clean from an AJAX or REST services perspective. I was hoping that there was some way to implement an endpoint in Sling that provided a pure data service that could be used by a browser-based app. The form-based authentication handler anticipated this need for login requests with its "j_validate" parameter, but I don't see a way for other servlets to provide similar behavior. I suppose that a minimally invasive approach would be to modify the isBrowserRequest() method to detect a custom header that has priority over the user agent test. Adding a header to an AJAX request would be much cleaner than modifying the User-Agent header in the browser navigator object. Is that something that would be best discussed in a JIRA request rather than here? > -Bertrand > > [1] > https://svn.apache.org/repos/asf/sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/AuthUtil.java
Re: How to set up a servlet to return HTTP error status instead of redirecting to the login form?
Hi John, On Mon, Feb 27, 2017 at 10:11 PM, John Loganwrote: > ...I receive 302 if the curl request includes the user agent, and > 401 otherwise AFAIK it's the AuthUtil.isBrowserRequest method [1] that makes this decision. > I don't think this helps for browser AJAX requests, though... You might be able to tweak your request to work around this, based on that source code? Or maybe catch the 302 response and implement the behavior that you need. -Bertrand [1] https://svn.apache.org/repos/asf/sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/AuthUtil.java
How to set up a servlet to return HTTP error status instead of redirecting to the login form?
Hello! I'm running into an issue where I've created a Sling servlet that queries nodes and returns a JSON result. My web application uses the form-based AuthenticationHandler to establish a session, and then fetches the resource provided by my servlet. This works fine until the session times out, after which a request for the servlet resource results in a 302 response that redirects to the login form. Is there something I should do, either on the request at the client, or in the servlet or its configuration, so that the client receives a 401 response instead of a redirect when authentication fails? Thank you for any help you can provide! John