Hi there,
i see this issue is tackled in svn trunk... but it will not help the
users to support "custom" authentication schemes...
Would not be "more exact" if you do the following?
protected boolean isLoginAttempt( ServletRequest request,
ServletResponse response )
{
HttpServletRequest httpRequest = toHttp( request );
String authorizationHeader = httpRequest.getHeader(
AUTHORIZATION_HEADER );
return authorizationHeader != null &&
authorizationHeader.toLowerCase().startsWith( "basic" );
}
Since the BasicHttpAuthenticationFilter does HTTP BASIC auth only (out
of the box), it should check for auth scheme also.... otherwise, if
not BASIC, it should simply take it as non-login-attempt request.
And if someone implements "custom" scheme, he should only override the
isLoginAttemp() and executeLogin() methods to implement it's custom
auth scheme...
~t~
On Tue, Jul 29, 2008 at 5:09 PM, Tamás Cservenák <[EMAIL PROTECTED]> wrote:
> Hi there,
>
> i just discovered a bug?
>
> When a HTTP Request comes in to resource (url) protected with
> authcBasic, BUT the header looks like this (sorry for formatting,
> copied from firebug):
>
> Host: localhost:8081
> User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US;
> rv:1.9.0.1) Gecko/2008070206 Firefox/3.0.1
> Accept: application/json
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> X-Requested-With: XMLHttpRequest
> Authorization: NexusAuthToken DEPRECATED
> Referer: http://localhost:8081/nexus/
> Cookie st-authToken=s%3ADEPRECATED; st-username=s%3Aadmin
>
> The authcBasis stops the chain (protects it all right) but responds
> with HTTP 200....
>
> Corresponding log snippet:
> INFO] 2008-07-29 17:05:51,925 DEBUG
> [org.jsecurity.web.attr.CookieAttribute] - No value found in request
> Cookies under cookie name [rememberMe]
> [INFO] 2008-07-29 17:05:51,927 DEBUG
> [org.jsecurity.web.filter.authc.BasicHttpAuthenticationFilter] -
> Attempting to authenticate Subject based on Http BASIC Authentication
> request...
> [INFO] 2008-07-29 17:05:51,927 DEBUG
> [org.jsecurity.web.filter.authc.BasicHttpAuthenticationFilter] -
> Executing login with headers [NexusAuthToken DEPRECATED]
> [INFO] 2008-07-29 17:05:51,927 DEBUG
> [org.jsecurity.web.filter.authc.BasicHttpAuthenticationFilter] -
> Returning [false] from executeLogin()
> [INFO] 2008-07-29 17:05:51,927 DEBUG [org.mortbay.log] - RESPONSE
> /nexus/service/local/authentication/login 200
>
> As you see, the Authorization is NOT Basic, it is some custom scheme.
> Should not authcBasic in this case simply resendChallenge?
>
> The response is obviously wrong, this should not be HTTP 200.
>
> --
> Thanks,
> ~t~
>
--
Thanks,
~t~
