You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by Mike Müller <mi...@mysign.ch> on 2010/10/05 10:44:20 UTC
[DISCUSS] switching off Basic Auth as default?
Hi
As of the discussion in [1] I like to start a new discussion
about whether to disable or enable Basic Auth per default.
The initial reason to disable it, were the problems appeared
in the Sling Explorer after logging in under /system/console
with Basic Auth (SLING-1765 [2]).
With Basic Auth on we've got serveral issues in the browsers:
- Some browsers pass credentials even on parent paths
where credentials should not be sent.
- Logout is mostly a problem
With other clients than browsers these issues doesn't exist.
I think we agree on the fact that it would be better/safer
to disable Basic Auth if there would not be a backward
compatibility issue with it.
What crossed my mind is, that it would be very pratical to
have something like a conf file where you can overwrite
defaults from components as you wish. The conf file should
be placed into the Sling launchpad which reads the properties
and overwrites the defaults. But that's a little bit off topic here,
but would solve the problem that someone has to patch
the source only because of another default value...
[1] http://markmail.org/thread/nmcjhvq46ihok7p2
[2] https://issues.apache.org/jira/browse/SLING-1765
best regards
mike
WebConsole Authentication (was: [DISCUSS] switching off Basic Auth
as default?)
Posted by Felix Meschberger <fm...@gmail.com>.
Hi,
Let me just answer this side-track:
On 05.10.2010 15:57, Justin Edelson wrote:
> On 10/5/10 4:44 AM, Mike Müller wrote:
>> Hi
>>
>> As of the discussion in [1] I like to start a new discussion
>> about whether to disable or enable Basic Auth per default.
>> The initial reason to disable it, were the problems appeared
>> in the Sling Explorer after logging in under /system/console
>> with Basic Auth (SLING-1765 [2]).
> To boil it down, the problem identified in SLING-1765 is that if a user
> logs into the OSGi web console and then visits any Sling application
> (including, but not limited to, the Sling Explorer), the user is still
> logged in.
>
> There are three things which come to my mind about this:
> 1) The problem is that the Felix web console uses Basic Auth, not that
> Sling supports preemptive Basic Auth. Therefore, we should be changing
> the web console, not Sling's default configuration.
Makes perfect sense. Read on ...
>
> 2) Couldn't you work around this by removing the
> org.apache.sling.extensions.webconsolesecurityprovider bundle and making
> it so that the Jackrabbit and Felix admin passwords weren't the same?
The problem is that the web console right now only supports HTTP Basic
authentication and is not as pluggable with respect to authentication as
I would like it to have.
In essence, the Web Console itself reads the HTTP Basic authentication
header and passes the username and password to the security provider.
The only thing added by the Sling webconsolesecurityprovider is support
to authenticate the username/password against the repository.
What we would need here is an extended support interface to actually
allow the Sling Authentication mechanism to fully plug-in and thus allow
for the Sling's extended functionality.
This has just not been done yet ...
>
> 3) Aren't we talking about a relatively small number of advanced users?
> The OSGi web console doesn't have any kind of RBAC, so I can't imagine
Well, not fully RBAC, but there is a simple hook in the Security
Provider interface to implement some kind of RBAC.
Regards
Felix
> we're talking about end users or even normal content editors being
> impacted here. If someone can be trusted to muck around with the OSGi
> web console, they should be able to understand how to resolve the
> scenario described.
>
>>
>> With Basic Auth on we've got serveral issues in the browsers:
>> - Some browsers pass credentials even on parent paths
>> where credentials should not be sent.
>> - Logout is mostly a problem
>>
>> With other clients than browsers these issues doesn't exist.
>>
>> I think we agree on the fact that it would be better/safer
>> to disable Basic Auth if there would not be a backward
>> compatibility issue with it.
> I don't agree with this at all. IMHO, Basic Auth is preferable for
> command-line tools, scripts, and the like.
>
>>
>> What crossed my mind is, that it would be very pratical to
>> have something like a conf file where you can overwrite
>> defaults from components as you wish. The conf file should
>> be placed into the Sling launchpad which reads the properties
>> and overwrites the defaults. But that's a little bit off topic here,
>> but would solve the problem that someone has to patch
>> the source only because of another default value...
> See http://markmail.org/message/pvria2dxnifmllmu. I've been short on
> time and trying to get the Emma integration done, but as soon as that's
> finished, I can start integrating the ConfigAdmin/Launchpad code.
>
> Without this support, you can pretty easily do something similar with a
> component like this: http://gist.github.com/611550
>
> Justin
>
>>
>> [1] http://markmail.org/thread/nmcjhvq46ihok7p2
>> [2] https://issues.apache.org/jira/browse/SLING-1765
>>
>> best regards
>> mike
>
>
Re: [DISCUSS] switching off Basic Auth as default?
Posted by Bertrand Delacretaz <bd...@apache.org>.
On Wed, Oct 6, 2010 at 6:57 PM, Mike Müller <mi...@mysign.ch> wrote:
>> ...http://sling.apache.org/site/jcr-installer-jcrjcrinstall-and-osgiinstaller.html ...
>
> Interesting. Does the configuration part also work if the bundle
> is not in the repository but installed the good old way?
Yes, you can use osgi installer configs to create any configuration,
the config just has to use the correct PID.
-Bertrand
RE: [DISCUSS] switching off Basic Auth as default?
Posted by Mike Müller <mi...@mysign.ch>.
> On Wed, Oct 6, 2010 at 6:17 PM, Mike Müller <mi...@mysign.ch> wrote:
> > ...Tob e honest I do not know anything about to possibility to achieve this
> > with JCR installer or files in the file system... apparently I have to look into
> this!...
>
> I haven't tried filesystem yet, but with jcrinstall you just have to
> setup Sling:OsgiConfig nodes in the repository with names that match
> the service PIDs, so configs can be provided as initial content.
>
> See http://sling.apache.org/site/jcr-installer-jcrjcrinstall-and-
> osgiinstaller.html
> for an example (that uses curl ;-)
>
> -Bertrand
Interesting. Does the configuration part also work if the bundle
is not in the repository but installed the good old way?
best regards
mike
Re: [DISCUSS] switching off Basic Auth as default?
Posted by Bertrand Delacretaz <bd...@apache.org>.
On Wed, Oct 6, 2010 at 6:17 PM, Mike Müller <mi...@mysign.ch> wrote:
> ...Tob e honest I do not know anything about to possibility to achieve this
> with JCR installer or files in the file system... apparently I have to look into this!...
I haven't tried filesystem yet, but with jcrinstall you just have to
setup Sling:OsgiConfig nodes in the repository with names that match
the service PIDs, so configs can be provided as initial content.
See http://sling.apache.org/site/jcr-installer-jcrjcrinstall-and-osgiinstaller.html
for an example (that uses curl ;-)
-Bertrand
RE: [DISCUSS] switching off Basic Auth as default?
Posted by Mike Müller <mi...@mysign.ch>.
>>> snip snap
> > What I'm thinking is rather something like Justin is probably working on:
> > A config file which you can pack into the launchpad...
>
> Indeed, but to be clear, the solution I proposed is only for initial/startup
> configuration. For runtime configuration, JCR Install, File Install, Web Console,
> and JMX are all more suitable solutions.
>
> Justin
That's seems to be exactly what I need: easy configuration by file for startup.
best regards
Re: [DISCUSS] switching off Basic Auth as default?
Posted by Justin Edelson <ju...@justinedelson.com>.
On Oct 6, 2010, at 12:17 PM, Mike Müller <mi...@mysign.ch> wrote:
>
>
>> -----Original Message-----
>> From: Felix Meschberger [mailto:fmeschbe@gmail.com]
>> Sent: Wednesday, October 06, 2010 6:10 PM
>> To: dev@sling.apache.org
>> Subject: Re: [DISCUSS] switching off Basic Auth as default?
>>
>> Hi,
>>
>> On 06.10.2010 17:10, Mike Müller wrote:
>>>> Without this support, you can pretty easily do something similar with a
>>>> component like this: http://gist.github.com/611550
>>>
>>> But to end this discussion: I don't think it's worth to fight about if
>>> Basic should be enabled or not, but maybe it's worth to think about
>>> some possibility to take Sling as it is and put in a single conf file into
>>> the jar or the directory to set all defaults like one wants to have them,
>>> without having to patch the source code like Ian mentioned (change
>>> annotations...)
>>
>> Basically we have the functionaliyt to overwrite defaults: Its
>> configurtion. You can manage them in the Web Console or you can provide
>> different defaults using configuration files in the repository or the
>> filesystem using the Installer functionality.
>>
>> IIRC Justin is working on a provider to pack configuration files in the
>> Sling Launchpad to have it deployed automatically.
>
> Thanks fort he hints.
> The Web Console is not really helpfully in the case you have 200 installations ;-))
Your other option is to use JMX from a central management console. If you have 200 nodes, turning off Basic Auth is just one of many management challenges.
> What I'm thinking is rather something like Justin is probably working on:
> A config file which you can pack into the launchpad...
Indeed, but to be clear, the solution I proposed is only for initial/startup configuration. For runtime configuration, JCR Install, File Install, Web Console, and JMX are all more suitable solutions.
Justin
> Tob e honest I do not know anything about to possibility to achieve this
> with JCR installer or files in the file system... apparently I have to look into this!
>
> best regards
> mike
>
>
Re: [DISCUSS] switching off Basic Auth as default?
Posted by Carsten Ziegeler <cz...@apache.org>.
Mike Müller wrote
>
> Thanks fort he hints.
> The Web Console is not really helpfully in the case you have 200 installations ;-))
> What I'm thinking is rather something like Justin is probably working on:
> A config file which you can pack into the launchpad...
Yes, I think that's the best solution.
> Tob e honest I do not know anything about to possibility to achieve this
> with JCR installer or files in the file system... apparently I have to look into this!
>
With file install it's easy as well, just add our installer core and
file installer provider bundles and set a system property
"sling.fileinstall.dir" pointing to a directory containing the config
files on startup.
Now, this is of course not the best solution for deployments, but at
least for development it's quiet nice and easy as you can just
drop/remove stuff from that dir at runtime - or edit the files directly.
Carsten
--
Carsten Ziegeler
cziegeler@apache.org
RE: [DISCUSS] switching off Basic Auth as default?
Posted by Mike Müller <mi...@mysign.ch>.
> -----Original Message-----
> From: Felix Meschberger [mailto:fmeschbe@gmail.com]
> Sent: Wednesday, October 06, 2010 6:10 PM
> To: dev@sling.apache.org
> Subject: Re: [DISCUSS] switching off Basic Auth as default?
>
> Hi,
>
> On 06.10.2010 17:10, Mike Müller wrote:
> >> Without this support, you can pretty easily do something similar with a
> >> component like this: http://gist.github.com/611550
> >
> > But to end this discussion: I don't think it's worth to fight about if
> > Basic should be enabled or not, but maybe it's worth to think about
> > some possibility to take Sling as it is and put in a single conf file into
> > the jar or the directory to set all defaults like one wants to have them,
> > without having to patch the source code like Ian mentioned (change
> > annotations...)
>
> Basically we have the functionaliyt to overwrite defaults: Its
> configurtion. You can manage them in the Web Console or you can provide
> different defaults using configuration files in the repository or the
> filesystem using the Installer functionality.
>
> IIRC Justin is working on a provider to pack configuration files in the
> Sling Launchpad to have it deployed automatically.
Thanks fort he hints.
The Web Console is not really helpfully in the case you have 200 installations ;-))
What I'm thinking is rather something like Justin is probably working on:
A config file which you can pack into the launchpad...
Tob e honest I do not know anything about to possibility to achieve this
with JCR installer or files in the file system... apparently I have to look into this!
best regards
mike
Re: [DISCUSS] switching off Basic Auth as default?
Posted by Felix Meschberger <fm...@gmail.com>.
Hi,
On 06.10.2010 17:10, Mike Müller wrote:
>> Without this support, you can pretty easily do something similar with a
>> component like this: http://gist.github.com/611550
>
> But to end this discussion: I don't think it's worth to fight about if
> Basic should be enabled or not, but maybe it's worth to think about
> some possibility to take Sling as it is and put in a single conf file into
> the jar or the directory to set all defaults like one wants to have them,
> without having to patch the source code like Ian mentioned (change
> annotations...)
Basically we have the functionaliyt to overwrite defaults: Its
configurtion. You can manage them in the Web Console or you can provide
different defaults using configuration files in the repository or the
filesystem using the Installer functionality.
IIRC Justin is working on a provider to pack configuration files in the
Sling Launchpad to have it deployed automatically.
Regards
Felix
>
> best regards
> mike
>
>> Justin
>>
>>>
>>> [1] http://markmail.org/thread/nmcjhvq46ihok7p2
>>> [2] https://issues.apache.org/jira/browse/SLING-1765
>>>
>>> best regards
>>> mike
>
>
RE: [DISCUSS] switching off Basic Auth as default?
Posted by Mike Müller <mi...@mysign.ch>.
> -----Original Message-----
> From: Justin Edelson [mailto:justinedelson@gmail.com]
> Sent: Tuesday, October 05, 2010 3:57 PM
> To: dev@sling.apache.org
> Subject: Re: [DISCUSS] switching off Basic Auth as default?
>
> On 10/5/10 4:44 AM, Mike Müller wrote:
> > Hi
> >
> > As of the discussion in [1] I like to start a new discussion
> > about whether to disable or enable Basic Auth per default.
> > The initial reason to disable it, were the problems appeared
> > in the Sling Explorer after logging in under /system/console
> > with Basic Auth (SLING-1765 [2]).
> To boil it down, the problem identified in SLING-1765 is that if a user
> logs into the OSGi web console and then visits any Sling application
> (including, but not limited to, the Sling Explorer), the user is still
> logged in.
>
> There are three things which come to my mind about this:
> 1) The problem is that the Felix web console uses Basic Auth, not that
> Sling supports preemptive Basic Auth. Therefore, we should be changing
> the web console, not Sling's default configuration.
>
> 2) Couldn't you work around this by removing the
> org.apache.sling.extensions.webconsolesecurityprovider bundle and making
> it so that the Jackrabbit and Felix admin passwords weren't the same?
>
> 3) Aren't we talking about a relatively small number of advanced users?
> The OSGi web console doesn't have any kind of RBAC, so I can't imagine
> we're talking about end users or even normal content editors being
> impacted here. If someone can be trusted to muck around with the OSGi
> web console, they should be able to understand how to resolve the
> scenario described.
I don't agree here: The problem is not the web console itself, the real
Basic Auth issues are how browsers treat Basic Auth. And with Basic Auth
enabled this affects not only advanced users but all users of an application
using Basic Auth.
> >
> > With Basic Auth on we've got serveral issues in the browsers:
> > - Some browsers pass credentials even on parent paths
> > where credentials should not be sent.
> > - Logout is mostly a problem
> >
> > With other clients than browsers these issues doesn't exist.
> >
> > I think we agree on the fact that it would be better/safer
> > to disable Basic Auth if there would not be a backward
> > compatibility issue with it.
> I don't agree with this at all. IMHO, Basic Auth is preferable for
> command-line tools, scripts, and the like.
I think Sling is more about web application running in the browser
than command line tools - and as saidf before, the issues with
Basic Auth apply mostly to browsers.
But read on...
>
> >
> > What crossed my mind is, that it would be very pratical to
> > have something like a conf file where you can overwrite
> > defaults from components as you wish. The conf file should
> > be placed into the Sling launchpad which reads the properties
> > and overwrites the defaults. But that's a little bit off topic here,
> > but would solve the problem that someone has to patch
> > the source only because of another default value...
> See http://markmail.org/message/pvria2dxnifmllmu. I've been short on
> time and trying to get the Emma integration done, but as soon as that's
> finished, I can start integrating the ConfigAdmin/Launchpad code.
>
> Without this support, you can pretty easily do something similar with a
> component like this: http://gist.github.com/611550
But to end this discussion: I don't think it's worth to fight about if
Basic should be enabled or not, but maybe it's worth to think about
some possibility to take Sling as it is and put in a single conf file into
the jar or the directory to set all defaults like one wants to have them,
without having to patch the source code like Ian mentioned (change
annotations...)
best regards
mike
> Justin
>
> >
> > [1] http://markmail.org/thread/nmcjhvq46ihok7p2
> > [2] https://issues.apache.org/jira/browse/SLING-1765
> >
> > best regards
> > mike
Re: [DISCUSS] switching off Basic Auth as default?
Posted by Justin Edelson <ju...@gmail.com>.
On 10/5/10 4:44 AM, Mike Müller wrote:
> Hi
>
> As of the discussion in [1] I like to start a new discussion
> about whether to disable or enable Basic Auth per default.
> The initial reason to disable it, were the problems appeared
> in the Sling Explorer after logging in under /system/console
> with Basic Auth (SLING-1765 [2]).
To boil it down, the problem identified in SLING-1765 is that if a user
logs into the OSGi web console and then visits any Sling application
(including, but not limited to, the Sling Explorer), the user is still
logged in.
There are three things which come to my mind about this:
1) The problem is that the Felix web console uses Basic Auth, not that
Sling supports preemptive Basic Auth. Therefore, we should be changing
the web console, not Sling's default configuration.
2) Couldn't you work around this by removing the
org.apache.sling.extensions.webconsolesecurityprovider bundle and making
it so that the Jackrabbit and Felix admin passwords weren't the same?
3) Aren't we talking about a relatively small number of advanced users?
The OSGi web console doesn't have any kind of RBAC, so I can't imagine
we're talking about end users or even normal content editors being
impacted here. If someone can be trusted to muck around with the OSGi
web console, they should be able to understand how to resolve the
scenario described.
>
> With Basic Auth on we've got serveral issues in the browsers:
> - Some browsers pass credentials even on parent paths
> where credentials should not be sent.
> - Logout is mostly a problem
>
> With other clients than browsers these issues doesn't exist.
>
> I think we agree on the fact that it would be better/safer
> to disable Basic Auth if there would not be a backward
> compatibility issue with it.
I don't agree with this at all. IMHO, Basic Auth is preferable for
command-line tools, scripts, and the like.
>
> What crossed my mind is, that it would be very pratical to
> have something like a conf file where you can overwrite
> defaults from components as you wish. The conf file should
> be placed into the Sling launchpad which reads the properties
> and overwrites the defaults. But that's a little bit off topic here,
> but would solve the problem that someone has to patch
> the source only because of another default value...
See http://markmail.org/message/pvria2dxnifmllmu. I've been short on
time and trying to get the Emma integration done, but as soon as that's
finished, I can start integrating the ConfigAdmin/Launchpad code.
Without this support, you can pretty easily do something similar with a
component like this: http://gist.github.com/611550
Justin
>
> [1] http://markmail.org/thread/nmcjhvq46ihok7p2
> [2] https://issues.apache.org/jira/browse/SLING-1765
>
> best regards
> mike
RE: [DISCUSS] switching off Basic Auth as default?
Posted by Mike Müller <mi...@mysign.ch>.
> Hi Mike,
>
> Thanks for starting the discussion (and please revert the SLING-1817
> changes for now as they break our integration tests).
I already reverted them in r1004569...
best regards
mike
Re: [DISCUSS] switching off Basic Auth as default?
Posted by Bertrand Delacretaz <bd...@apache.org>.
Hi Mike,
Thanks for starting the discussion (and please revert the SLING-1817
changes for now as they break our integration tests).
On Tue, Oct 5, 2010 at 10:44 AM, Mike Müller <mi...@mysign.ch> wrote:
> ...As of the discussion in [1] I like to start a new discussion
> about whether to disable or enable Basic Auth per default.
> The initial reason to disable it, were the problems appeared
> in the Sling Explorer after logging in under /system/console
> with Basic Auth (SLING-1765 [2])...
So my understanding is that's a Sling Explorer problem, what prevents
it from being fixed there?
>
> With Basic Auth on we've got serveral issues in the browsers:
> - Some browsers pass credentials even on parent paths
> where credentials should not be sent....
IIUC forcing login to happen on / would fix that, or not?
> ...With other clients than browsers these issues doesn't exist....
But disabling basic auth will cause those clients (curl, our
integration tests, our docs and examples, Sakai's extensive suite of
tests) to fail, so I don't think that's an option.
-Bertrand
Re: [DISCUSS] switching off Basic Auth as default?
Posted by Ian Boston <ie...@tfd.co.uk>.
On 5 Oct 2010, at 09:44, Mike Müller wrote:
> With Basic Auth on we've got serveral issues in the browsers:
> - Some browsers pass credentials even on parent paths
> where credentials should not be sent.
> - Logout is mostly a problem
We have hit exactly this problem with users logging into the console using basic auth, and you are right there is no way of logging out of basic auth except by the user telling the browser to drop the credentials (supported by some browsers) or closing the browser.
So we tell users to do just that, and almost without exception, they do it.
Well I tell a lie, there is a way of forcing the browser to logout.... tell it the credentials it supplied are bad even if they are not. That will popup a browser login window where the user can cancel it....we decided that was too confusing for the average user an so told them to do it via the browser.
As Bertrand said, we have lots of things depending on basic auth authentication, and although we could patch the app sever build locally I would prefer not to as some of the people we train up into how to build apps on Nakamura don't go on to use our code, preferring native Sling.
Ian
RE: [DISCUSS] switching off Basic Auth as default?
Posted by Mike Müller <mi...@mysign.ch>.
> Hi,
>
> I don't have any hard feelings here, both ways are basically ok for me.
>
> On the other hand, given...
>
> * we documented how to use HTTP Basic Auth with cURL
> * we use HTTP Basic auth in the integration tests
> * Web Console is no intended for the average user
>
> I tend to be slightly biased towards keeping HTTP Basic authentication
> active in preemptive mode.
>
> To fix the Web Console problem, I created FELIX-2639 [1] to enhance the
> security provider mechanism. Once we have FELIX-2639 fixed we can
> enhance our own security provider to use Auth Core for authentication
> and have solved the problem.
>
> WDYT ?
>
> Regards
> Felix
Haven't seen your post before my last post...
Nevertheless, +1 for keeping the Basic Auth on.
But I would like to have an easy way to change default
values in Sling (or other) components/bundles.
That's why I created SLING-1822...
best regards
mike
Re: [DISCUSS] switching off Basic Auth as default?
Posted by Felix Meschberger <fm...@gmail.com>.
Hi,
I don't have any hard feelings here, both ways are basically ok for me.
On the other hand, given...
* we documented how to use HTTP Basic Auth with cURL
* we use HTTP Basic auth in the integration tests
* Web Console is no intended for the average user
I tend to be slightly biased towards keeping HTTP Basic authentication
active in preemptive mode.
To fix the Web Console problem, I created FELIX-2639 [1] to enhance the
security provider mechanism. Once we have FELIX-2639 fixed we can
enhance our own security provider to use Auth Core for authentication
and have solved the problem.
WDYT ?
Regards
Felix
[1] https://issues.apache.org/jira/browse/FELIX-2639
On 05.10.2010 10:44, Mike Müller wrote:
> Hi
>
> As of the discussion in [1] I like to start a new discussion
> about whether to disable or enable Basic Auth per default.
> The initial reason to disable it, were the problems appeared
> in the Sling Explorer after logging in under /system/console
> with Basic Auth (SLING-1765 [2]).
>
> With Basic Auth on we've got serveral issues in the browsers:
> - Some browsers pass credentials even on parent paths
> where credentials should not be sent.
> - Logout is mostly a problem
>
> With other clients than browsers these issues doesn't exist.
>
> I think we agree on the fact that it would be better/safer
> to disable Basic Auth if there would not be a backward
> compatibility issue with it.
>
> What crossed my mind is, that it would be very pratical to
> have something like a conf file where you can overwrite
> defaults from components as you wish. The conf file should
> be placed into the Sling launchpad which reads the properties
> and overwrites the defaults. But that's a little bit off topic here,
> but would solve the problem that someone has to patch
> the source only because of another default value...
>
> [1] http://markmail.org/thread/nmcjhvq46ihok7p2
> [2] https://issues.apache.org/jira/browse/SLING-1765
>
> best regards
> mike
>