Re: [basedb-devel] Prompting for credentials
From previous messages, it seems that the session id is tied to the client that creates the session (via IP). So it would be linked to the server running the web service in our case. This is problematic, because the link to the BASE experiment will be used by a remote user, which will be served by a session ID having the wrong IP. True, I had not thought of that. That would indeed make it problematic to log in users from within DC-THERA. Any plan to change the BASE code on this point? Modifying the authentication logic ourselves is an option. Nicklas, could you give us a short description of the classes involved? Just in case. Regards, -- O.L. -- This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev ___ basedb-devel mailing list basedb-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/basedb-devel
Re: [basedb-devel] Prompting for credentials
Hi Nicklas, in reply to your message below, I am working with Olivier on the issue. I still haven't clear if/how it's possible to do this: - A search web service we have written is invoked with certain parameters - The ws searches inside BASE and returns a list of URLs. Every URL is about an experiment that matches the search parameters/criteria (actually experiment titles are returned too). Every URL is supposed to automatically open an experiment page in the BASE web interface. We also would like that the URL makes BASE to automatically login a guest user (experiments we decide to make publicly visible will be made accessible to this user), of course when the URL is clicked. You may already have guessed that the web service will be invoked by another web application: http://ftp.informatik.rwth-aachen.de/Publications/CEUR-WS/Vol-435/poster06.pdf and that the returned URLs will be put in this application. From previous messages in this mailing list, I understand that BASE doesn't allow one to keep open multiple user sessions, coming from multiple IPs, so this could be a problem re. what I've described. Or did I get it wrong? An alternative for us could be that the end user has its own BASE account, he/she provide us with it and we pass it to the web service (or report it in the experiment's URL). Is there a way to do what I described above? It's strange we cannot find an answer to that. Many thanks in advance for any help. Marco. From: Nicklas Nordborg nick...@th... - 2009-12-15 21:45 Olivier Lefevre wrote: Out of curiosity, this error message implies that session IDs, once allocated, are tied to the remote ID the initial request came from. Is it a security feature? Yes, but a very simple one. The idea is to protect the server from someone guessing an ID that is in use. /Nicklas -- This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev ___ basedb-devel mailing list basedb-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/basedb-devel
Re: [basedb-devel] Prompting for credentials
Hi Marco, Not to step on Nicklas' toes but a couple of observations from my point of view: From previous messages in this mailing list, I understand that BASE doesn't allow one to keep open multiple user sessions, coming from multiple IPs AFAIK BASE just doesn't allow the *same* session ID to be used by multiple IPs; your wording suggests it can and will serve only one user per IP, which would clearly make it useless. As to whether this is a problem or not in practice, remember that you and I were hitting a BASE instance directly, from separate IPs, when we ran into this issue, using a bogus ID to boot, hence the collision. In the actual usage scenario, in which users send requests to BASE not directly but through DC-THERA, I imagine that from the BASE server point of view they will appear to originate from the same DC-THERA server IP, regardless of user IP, hence the issue will be moot. -- O.L. -- This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev ___ basedb-devel mailing list basedb-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/basedb-devel
Re: [basedb-devel] Prompting for credentials
Olivier Lefevre wrote: Hi Marco, Not to step on Nicklas' toes but a couple of observations from my point of view: From previous messages in this mailing list, I understand that BASE doesn't allow one to keep open multiple user sessions, coming from multiple IPs AFAIK BASE just doesn't allow the *same* session ID to be used by multiple IPs; your wording suggests it can and will serve only one user per IP, which would clearly make it useless. Ops, sorry. Clearly I meant multiple sessions from the same user and from multiple IPs. The scenario I am thinking of is multiple real users accessing BASE with the same account. But if different sessions can be generated for different IPs and using the same account, that would be good for us. Cheers. Marco. -- This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev ___ basedb-devel mailing list basedb-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/basedb-devel
Re: [basedb-devel] Prompting for credentials
Hi Nicklas, in reply to your message below. I am working with Olivier on the issue. To me it seems we're stuck on it, I still cannot understand if/how it's possible to do this: - A search web service we have written is invoked with certain parameters - The ws searches inside BASE and returns a list of URLs. Every URL is about an experiment that matches the search parameters/criteria (actually experiment titles are returned too). Every URL is supposed to automatically open an experiment page in the BASE web interface. We also would like that the URL makes BASE to automatically login a guest user (experiments we decide to make publicly visible will be made accessible to this user), with just the initial click of the real end user on the URL. From previous messages in this mailing list, I understand that BASE doesn't allow to keep open multiple user sessions from multiple IPs, so this could be a problem re. what I've described. Or did I get it wrong? An alternative for us could be that the end user has its own BASE account, he/she provide us with it and we pass it to the web service (or report it in the experiment's URL). You may already have guessed that the web service will be invoked by another web application: http://ftp.informatik.rwth-aachen.de/Publications/CEUR-WS/Vol-435/poster06.pdf and that the returned URLs will be put in this application. Is there a way to do what I described above? It's strange we cannot find an answer to that. Many thanks in advance for any help. Marco. From: Nicklas Nordborg nick...@th... - 2009-12-15 21:45 Olivier Lefevre wrote: Out of curiosity, this error message implies that session IDs, once allocated, are tied to the remote ID the initial request came from. Is it a security feature? Yes, but a very simple one. The idea is to protect the server from someone guessing an ID that is in use. /Nicklas -- This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev ___ basedb-devel mailing list basedb-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/basedb-devel
Re: [basedb-devel] Prompting for credentials
Olivier Lefevre wrote: Hi Nicklas, If you supply a URL like the one above BASE is going to ask you for a login and password. I assume you mean a screen like the attached. If so that is indeed what I get in my own local development instance but the production instance (not managed by me) occasionally returns a page with a PermissionDeniedException stack trace instead (screenshot also attached) and at other times the expected login screen, which is a bit confusing. I have never seen the stack trace behavious locally. The login screen is the prompt I am talking about. The stack trace is because trying to use the same session ID that is already used by a different user session. /Nicklas -- Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev ___ basedb-devel mailing list basedb-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/basedb-devel
Re: [basedb-devel] Prompting for credentials
The stack trace is because trying to use the same session ID that is already used by a different user session. Thanks, that's clear now: this could indeed happen when a bogus and constant session ID is used for all requests. -- O.L. -- Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev ___ basedb-devel mailing list basedb-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/basedb-devel
Re: [basedb-devel] Prompting for credentials
Out of curiosity, this error message implies that session IDs, once allocated, are tied to the remote ID the initial request came from. Is it a security feature? -- O.L. -- This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev ___ basedb-devel mailing list basedb-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/basedb-devel
Re: [basedb-devel] Prompting for credentials
Olivier Lefevre wrote: Out of curiosity, this error message implies that session IDs, once allocated, are tied to the remote ID the initial request came from. Is it a security feature? Yes, but a very simple one. The idea is to protect the server from someone guessing an ID that is in use. /Nicklas -- This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev ___ basedb-devel mailing list basedb-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/basedb-devel
[basedb-devel] Prompting for credentials
Is there a way to make BASE2 automatically prompt for credentials when a user who is not yet logged in clicks on a link pointing to a restricted-access resource? For instance the generic URL for an Experiment is http://localhost:8080/base2/views/experiments/index.jsp?ID=uidcmd=ViewItemitem_id=29 where uid is some hash. It seems one can use ID=0 as a magic value once the user is logged in but it fails the first time. What is the best way to handle this problem in the context of BASE2? Thanks, -- O.L. -- Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev ___ basedb-devel mailing list basedb-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/basedb-devel
Re: [basedb-devel] Prompting for credentials
Olivier Lefevre wrote: Is there a way to make BASE2 automatically prompt for credentials when a user who is not yet logged in clicks on a link pointing to a restricted-access resource? For instance the generic URL for an Experiment is http://localhost:8080/base2/views/experiments/index.jsp?ID=uidcmd=ViewItemitem_id=29 where uid is some hash. It seems one can use ID=0 as a magic value once the user is logged in but it fails the first time. What is the best way to handle this problem in the context of BASE2? I am not exactly sure what you are looking for... If you supply a URL like the one above BASE is going to ask you for a login and password. The value for ID (eg. 'uid' in the example) can be anything. There is nothing magic with ID=0, but the ID has to be a unique string per user session, so you can't just put a static link to the page within BASE. /Nicklas -- Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev ___ basedb-devel mailing list basedb-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/basedb-devel
