Hi there, i just discovered a bug?
When a HTTP Request comes in to resource (url) protected with authcBasic, BUT the header looks like this (sorry for formatting, copied from firebug): Host: localhost:8081 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.1) Gecko/2008070206 Firefox/3.0.1 Accept: application/json Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive X-Requested-With: XMLHttpRequest Authorization: NexusAuthToken DEPRECATED Referer: http://localhost:8081/nexus/ Cookie st-authToken=s%3ADEPRECATED; st-username=s%3Aadmin The authcBasis stops the chain (protects it all right) but responds with HTTP 200.... Corresponding log snippet: INFO] 2008-07-29 17:05:51,925 DEBUG [org.jsecurity.web.attr.CookieAttribute] - No value found in request Cookies under cookie name [rememberMe] [INFO] 2008-07-29 17:05:51,927 DEBUG [org.jsecurity.web.filter.authc.BasicHttpAuthenticationFilter] - Attempting to authenticate Subject based on Http BASIC Authentication request... [INFO] 2008-07-29 17:05:51,927 DEBUG [org.jsecurity.web.filter.authc.BasicHttpAuthenticationFilter] - Executing login with headers [NexusAuthToken DEPRECATED] [INFO] 2008-07-29 17:05:51,927 DEBUG [org.jsecurity.web.filter.authc.BasicHttpAuthenticationFilter] - Returning [false] from executeLogin() [INFO] 2008-07-29 17:05:51,927 DEBUG [org.mortbay.log] - RESPONSE /nexus/service/local/authentication/login 200 As you see, the Authorization is NOT Basic, it is some custom scheme. Should not authcBasic in this case simply resendChallenge? The response is obviously wrong, this should not be HTTP 200. -- Thanks, ~t~
