As you may have noticed from WOOKIE-283 this turned out to be a far worse problem than not getting some twitter updates.
I don't know what the original UC was for including Base64 authz headers, so I've just commented out all the code including them, and disabled the header type from being passed by other means. As its a critical security bug I suggest rolling this into the 0.9.1 release and issuing an advisory rather than waiting for 0.9.2. On 30 Oct 2011, at 14:21, Ross Gardler wrote: > On 29 October 2011 01:28, Ross Gardler <[email protected]> wrote: >> Any idea why I'm being asked to login to wookie (via basic >> authentication) to access a proxied URL. >> >> e.g. >> http://localhost:8080/wookie/proxy?instanceid_key=Mwp1GaQDZoyOOVvjnQ.sl.withW4DE.eq.&url=http://api.twitter.com/1/statuses/show.xml?id=129284508087357440&include_entities=false >> >> Accessing the URL directly in the browser presents no problem. > > I can now reproduce this reliably using the item detail template test > widget or the browse template test widget: > > Preparation: > > - you need a fresh browser on which you have *not* logged into the > admin console > - deploy the template test widgets: cd widgets/templates; ant > generate-test-widgets > - visit the "Browse Test Widget" > - everything should work fine > > Reproduce the problem: > > - log into the wookie admin interface > - visit the Browse Test Widget > - you will be asked to login > >> The weather widget (which also makes a proxied request) works fine. > > This remains the case. I can only assume that this indicates a > difference in the interaction styles. The weather widget simply > consumes an RSS feed, the twitter widgets consume a REST service. > > I've raised an issue at https://issues.apache.org/jira/browse/WOOKIE-283 > > Ross
