Re: How to set up a servlet to return HTTP error status instead of redirecting to the login form?

2017-03-01 Thread Bertrand Delacretaz 
On Tue, Feb 28, 2017 at 10:17 PM, John Logan  wrote:
> ...The SlingAuthenticator.doLogin() method first
> calls AuthUtil.isBrowserRequest(), and if the return value is true, then
> calls AuthUtil.isAjaxRequest().  This method returns true if the following
> header is present:
>
> X-Requested-With: XMLHttpRequest ...

Ah ok, great! I had forgotten about this feature, thanks for sharing
your solution.

-Bertrand

Re: How to set up a servlet to return HTTP error status instead of redirecting to the login form?

2017-02-28 Thread John Logan 
On Tuesday, February 28, 2017 11:50 AM, John Logan  
wrote:
> On Tuesday, February 28, 2017 6:33 AM, Bertrand Delacretaz 
>  wrote:
[snip]
> > AFAIK it's the AuthUtil.isBrowserRequest method [1] that makes this 
> > decision.
[snip]
> 
> I suppose that a minimally invasive approach would be to modify the
> isBrowserRequest() method to detect a custom header that has priority
> over the user agent test.  Adding a header to an AJAX request would be
> much cleaner than modifying the User-Agent header in the browser
> navigator object.  Is that something that would be best discussed in
> a JIRA request rather than here?

I looked at the SlingAuthenticator class, which is what invokes 
isBrowserRequest(),
and found my answer.  The SlingAuthenticator.doLogin() method first
calls AuthUtil.isBrowserRequest(), and if the return value is true, then
calls AuthUtil.isAjaxRequest().  This method returns true if the following
header is present:

X-Requested-With: XMLHttpRequest

When I perform a curl with a stale cookie and the above header, I get
a 403 FORBIDDEN instead of a redirect.

This gets me what I need.  One finer point is that I would have
expected a 401 UNAUTHORIZED in this case (which is what the
form-based authenticator gives with j_validate=true).

Thanks again for your help!

John

Re: How to set up a servlet to return HTTP error status instead of redirecting to the login form?

2017-02-28 Thread John Logan 
Hi Bertrand,

Thanks for your response!  I appreciate your help.

On Tuesday, February 28, 2017 6:33 AM, Bertrand Delacretaz 
 wrote:

> Hi John,
> 
> On Mon, Feb 27, 2017 at 10:11 PM, John Logan  wrote:
> > ...I receive 302 if the curl request includes the user agent, and
> > 401 otherwise
> 
> AFAIK it's the AuthUtil.isBrowserRequest method [1] that makes this decision.
> 

Agreed, I came across that code while investigating this.

> >  I don't think this helps for browser AJAX requests, though...
> 
> You might be able to tweak your request to work around this, based on
> that source code?
> 
> Or maybe catch the 302 response and implement the behavior that you need.
> 

Neither modifying the User-Agent header nor trying to identify a redirect
is really clean from an AJAX or REST services perspective.

I was hoping that there was some way to implement an endpoint in Sling 
that provided a pure data service that could be used by a browser-based app.

The form-based authentication handler anticipated this need for
login requests with its "j_validate" parameter, but I don't see a way
for other servlets to provide similar behavior.

I suppose that a minimally invasive approach would be to modify the
isBrowserRequest() method to detect a custom header that has priority
over the user agent test.  Adding a header to an AJAX request would be
much cleaner than modifying the User-Agent header in the browser
navigator object.  Is that something that would be best discussed in
a JIRA request rather than here?

> -Bertrand
> 
> [1]  
> https://svn.apache.org/repos/asf/sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/AuthUtil.java

Re: How to set up a servlet to return HTTP error status instead of redirecting to the login form?

2017-02-28 Thread Bertrand Delacretaz 
Hi John,

On Mon, Feb 27, 2017 at 10:11 PM, John Logan  wrote:
> ...I receive 302 if the curl request includes the user agent, and
> 401 otherwise

AFAIK it's the AuthUtil.isBrowserRequest method [1] that makes this decision.

>  I don't think this helps for browser AJAX requests, though...

You might be able to tweak your request to work around this, based on
that source code?

Or maybe catch the 302 response and implement the behavior that you need.

-Bertrand

[1] 
https://svn.apache.org/repos/asf/sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/AuthUtil.java

How to set up a servlet to return HTTP error status instead of redirecting to the login form?

2017-02-27 Thread John Logan 
Hello!

I'm running into an issue where I've created a Sling servlet that
queries nodes and returns a JSON result.  My web application uses
the form-based AuthenticationHandler to establish a session, and
then fetches the resource provided by my servlet.

This works fine until the session times out, after which a request
for the servlet resource results in a 302 response that redirects to
the login form.

Is there something I should do, either on the request at the client,
or in the servlet or its configuration, so that the client receives
a 401 response instead of a redirect when authentication fails?

Thank you for any help you can provide!

John