[jira] [Created] (BROOKLYN-323) Inconsistent logout behavior for Basic Authentication

Wed, 03 Aug 2016 13:31:15 -0700 

Valentin Aitken created BROOKLYN-323:
----------------------------------------

             Summary: Inconsistent logout behavior for Basic Authentication
                 Key: BROOKLYN-323
                 URL: https://issues.apache.org/jira/browse/BROOKLYN-323
             Project: Brooklyn
          Issue Type: Bug
    Affects Versions: 0.9.0, 0.10.0, 0.9.1
         Environment: Firefox, Internet Explorer, Google Chrome
            Reporter: Valentin Aitken
             Fix For: 0.10.0


Observed behavior:
When clicking logout browser asks for a password.
When entering a password browser asks you sequentially to enter username and 
password.

How logout should be implemented for Basic Authentication:
http://stackoverflow.com/questions/233507/how-to-log-out-user-from-web-site-using-basic-authentication

My explanation for behavior with the current code:

First to clear out how brooklyn-ui is working and what it does.
It polls infinitely the brooklyn api to retrieve status for the applications 
which are on the dashboard.
To do that each request has to be authenticated.

Logout:
When user click logout, UI fires an ajax call to get a a proper Unauthorized 
response.
Current response for the logout request contains Unauthorized response which 
should invalidate credentials.
For Google Chrome it does invalidate the request credentials but it does not 
reload the DOM (or the webpage)
When user try to type username and password to login back again, it is followed 
by another username and password prompt. 
My explanation for this is that login actually appeared from one of the 
application status calls rather than the index page and credentials are not 
populated through the DOM.
Because of this credentials have to be typed for every single request and  UI 
is making status calls infinitely so in other words user have to enter username 
and password infinitely.
However for Internet Explorer it behaves differently.
It just unauthenticate the one Ajax request and from there nothing happens. 
Deletion of the session within Internet Explorer doesn't happen and browser 
stays authenticated.

My idea for solving those problems is to do a full reload of the web page after 
deauthenticating.
so Brooklyn can have only one javascript authentication cycle.
I will provide a solution which does that in one simple step.
Calling the /logout API call which returns Unauthorized response and redirect 
to the home page. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to