Hi Tamas, I'll take a look at it as soon as I'm able to get some free time today!
Thanks! Allan On Tue, Jul 29, 2008 at 11:09 AM, Tamás Cservenák <[EMAIL PROTECTED]> wrote: > Hi there, > > i just discovered a bug? > > When a HTTP Request comes in to resource (url) protected with > authcBasic, BUT the header looks like this (sorry for formatting, > copied from firebug): > > Host: localhost:8081 > User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; > rv:1.9.0.1) Gecko/2008070206 Firefox/3.0.1 > Accept: application/json > Accept-Language: en-us,en;q=0.5 > Accept-Encoding: gzip,deflate > Accept-Charset ISO-8859-1,utf-8;q=0.7,*;q=0.7 > Keep-Alive: 300 > Connection: keep-alive > X-Requested-With: XMLHttpRequest > Authorization: NexusAuthToken DEPRECATED > Referer: http://localhost:8081/nexus/ > Cookie st-authToken=s%3ADEPRECATED; st-username=s%3Aadmin > > The authcBasis stops the chain (protects it all right) but responds > with HTTP 200.... > > Corresponding log snippet: > INFO] 2008-07-29 17:05:51,925 DEBUG > [org.jsecurity.web.attr.CookieAttribute] - No value found in request > Cookies under cookie name [rememberMe] > [INFO] 2008-07-29 17:05:51,927 DEBUG > [org.jsecurity.web.filter.authc.BasicHttpAuthenticationFilter] - > Attempting to authenticate Subject based on Http BASIC Authentication > request... > [INFO] 2008-07-29 17:05:51,927 DEBUG > [org.jsecurity.web.filter.authc.BasicHttpAuthenticationFilter] - > Executing login with headers [NexusAuthToken DEPRECATED] > [INFO] 2008-07-29 17:05:51,927 DEBUG > [org.jsecurity.web.filter.authc.BasicHttpAuthenticationFilter] - > Returning [false] from executeLogin() > [INFO] 2008-07-29 17:05:51,927 DEBUG [org.mortbay.log] - RESPONSE > /nexus/service/local/authentication/login 200 > > As you see, the Authorization is NOT Basic, it is some custom scheme. > Should not authcBasic in this case simply resendChallenge? > > The response is obviously wrong, this should not be HTTP 200. > > -- > Thanks, > ~t~ >
