You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@wookie.apache.org by Ross Gardler <rg...@opendirective.com> on 2011/10/29 02:28:38 UTC
Being asked for login to access a proxied URL
Any idea why I'm being asked to login to wookie (via basic
authentication) to access a proxied URL.
e.g. http://localhost:8080/wookie/proxy?instanceid_key=Mwp1GaQDZoyOOVvjnQ.sl.withW4DE.eq.&url=http://api.twitter.com/1/statuses/show.xml?id=129284508087357440&include_entities=false
Accessing the URL directly in the browser presents no problem.
The weather widget (which also makes a proxied request) works fine.
The strange thing is that I was not seeing this behaviour earlier
today. I've done a clean build and removed the database.
Any ideas?
Ross
--
Ross Gardler (@rgardler)
Programme Leader (Open Development)
OpenDirective http://opendirective.com
Re: Being asked for login to access a proxied URL
Posted by Scott Wilson <sc...@gmail.com>.
Weird,
In any case I've started work on fixing WOOKIE-251, which may solve a few things along the way.
On 29 Oct 2011, at 23:00, Ross Gardler wrote:
> I still have no idea why this was happening, however I rebooted the
> machine to ensure there were not strange remnants lieing around and it
> now works - no code changes at all.
>
> If it happens again I'll try and track down the problem.
>
> Ross
>
> On 29 October 2011 22:37, Ross Gardler <rg...@opendirective.com> wrote:
>> On 29 October 2011 01:43, Ross Gardler <rg...@opendirective.com> wrote:
>>> On 29 October 2011 01:28, Ross Gardler <rg...@opendirective.com> wrote:
>>>> Any idea why I'm being asked to login to wookie (via basic
>>>> authentication) to access a proxied URL.
>>>>
>>>> e.g. http://localhost:8080/wookie/proxy?instanceid_key=Mwp1GaQDZoyOOVvjnQ.sl.withW4DE.eq.&url=http://api.twitter.com/1/statuses/show.xml?id=129284508087357440&include_entities=false
>>>>
>>>> Accessing the URL directly in the browser presents no problem.
>>>
>>> It seems there is an OAuth challenge on the proxied request, but not
>>> on the browser request. Strange...
>>>
>>> I'm still stumped.
>>
>> I've now tested this with another widget that is accessing a different
>> REST API. Same result. Again, there is no need for authentication on
>> this API and entering the URL directly in the browser works just fine.
>>
>> I'm still trying to debug, but if anyone has any pointers as to why
>> this might be happening (remember, it has only just started happening
>> - everything worked fine just a couple of days ago).
>>
>> Ross
>>
>>
>>>
>>>>
>>>> The weather widget (which also makes a proxied request) works fine.
>>>>
>>>> The strange thing is that I was not seeing this behaviour earlier
>>>> today. I've done a clean build and removed the database.
>>>>
>>>> Any ideas?
>>>>
>>>> Ross
>>>>
>>>> --
>>>> Ross Gardler (@rgardler)
>>>> Programme Leader (Open Development)
>>>> OpenDirective http://opendirective.com
>>>>
>>>
>>>
>>>
>>> --
>>> Ross Gardler (@rgardler)
>>> Programme Leader (Open Development)
>>> OpenDirective http://opendirective.com
>>>
>>
>>
>>
>> --
>> Ross Gardler (@rgardler)
>> Programme Leader (Open Development)
>> OpenDirective http://opendirective.com
>>
>
>
>
> --
> Ross Gardler (@rgardler)
> Programme Leader (Open Development)
> OpenDirective http://opendirective.com
Re: Being asked for login to access a proxied URL
Posted by Ross Gardler <rg...@opendirective.com>.
I still have no idea why this was happening, however I rebooted the
machine to ensure there were not strange remnants lieing around and it
now works - no code changes at all.
If it happens again I'll try and track down the problem.
Ross
On 29 October 2011 22:37, Ross Gardler <rg...@opendirective.com> wrote:
> On 29 October 2011 01:43, Ross Gardler <rg...@opendirective.com> wrote:
>> On 29 October 2011 01:28, Ross Gardler <rg...@opendirective.com> wrote:
>>> Any idea why I'm being asked to login to wookie (via basic
>>> authentication) to access a proxied URL.
>>>
>>> e.g. http://localhost:8080/wookie/proxy?instanceid_key=Mwp1GaQDZoyOOVvjnQ.sl.withW4DE.eq.&url=http://api.twitter.com/1/statuses/show.xml?id=129284508087357440&include_entities=false
>>>
>>> Accessing the URL directly in the browser presents no problem.
>>
>> It seems there is an OAuth challenge on the proxied request, but not
>> on the browser request. Strange...
>>
>> I'm still stumped.
>
> I've now tested this with another widget that is accessing a different
> REST API. Same result. Again, there is no need for authentication on
> this API and entering the URL directly in the browser works just fine.
>
> I'm still trying to debug, but if anyone has any pointers as to why
> this might be happening (remember, it has only just started happening
> - everything worked fine just a couple of days ago).
>
> Ross
>
>
>>
>>>
>>> The weather widget (which also makes a proxied request) works fine.
>>>
>>> The strange thing is that I was not seeing this behaviour earlier
>>> today. I've done a clean build and removed the database.
>>>
>>> Any ideas?
>>>
>>> Ross
>>>
>>> --
>>> Ross Gardler (@rgardler)
>>> Programme Leader (Open Development)
>>> OpenDirective http://opendirective.com
>>>
>>
>>
>>
>> --
>> Ross Gardler (@rgardler)
>> Programme Leader (Open Development)
>> OpenDirective http://opendirective.com
>>
>
>
>
> --
> Ross Gardler (@rgardler)
> Programme Leader (Open Development)
> OpenDirective http://opendirective.com
>
--
Ross Gardler (@rgardler)
Programme Leader (Open Development)
OpenDirective http://opendirective.com
Re: Being asked for login to access a proxied URL
Posted by Ross Gardler <rg...@opendirective.com>.
On 29 October 2011 01:43, Ross Gardler <rg...@opendirective.com> wrote:
> On 29 October 2011 01:28, Ross Gardler <rg...@opendirective.com> wrote:
>> Any idea why I'm being asked to login to wookie (via basic
>> authentication) to access a proxied URL.
>>
>> e.g. http://localhost:8080/wookie/proxy?instanceid_key=Mwp1GaQDZoyOOVvjnQ.sl.withW4DE.eq.&url=http://api.twitter.com/1/statuses/show.xml?id=129284508087357440&include_entities=false
>>
>> Accessing the URL directly in the browser presents no problem.
>
> It seems there is an OAuth challenge on the proxied request, but not
> on the browser request. Strange...
>
> I'm still stumped.
I've now tested this with another widget that is accessing a different
REST API. Same result. Again, there is no need for authentication on
this API and entering the URL directly in the browser works just fine.
I'm still trying to debug, but if anyone has any pointers as to why
this might be happening (remember, it has only just started happening
- everything worked fine just a couple of days ago).
Ross
>
>>
>> The weather widget (which also makes a proxied request) works fine.
>>
>> The strange thing is that I was not seeing this behaviour earlier
>> today. I've done a clean build and removed the database.
>>
>> Any ideas?
>>
>> Ross
>>
>> --
>> Ross Gardler (@rgardler)
>> Programme Leader (Open Development)
>> OpenDirective http://opendirective.com
>>
>
>
>
> --
> Ross Gardler (@rgardler)
> Programme Leader (Open Development)
> OpenDirective http://opendirective.com
>
--
Ross Gardler (@rgardler)
Programme Leader (Open Development)
OpenDirective http://opendirective.com
Re: Being asked for login to access a proxied URL
Posted by Ross Gardler <rg...@opendirective.com>.
On 29 October 2011 01:28, Ross Gardler <rg...@opendirective.com> wrote:
> Any idea why I'm being asked to login to wookie (via basic
> authentication) to access a proxied URL.
>
> e.g. http://localhost:8080/wookie/proxy?instanceid_key=Mwp1GaQDZoyOOVvjnQ.sl.withW4DE.eq.&url=http://api.twitter.com/1/statuses/show.xml?id=129284508087357440&include_entities=false
>
> Accessing the URL directly in the browser presents no problem.
It seems there is an OAuth challenge on the proxied request, but not
on the browser request. Strange...
I'm still stumped.
>
> The weather widget (which also makes a proxied request) works fine.
>
> The strange thing is that I was not seeing this behaviour earlier
> today. I've done a clean build and removed the database.
>
> Any ideas?
>
> Ross
>
> --
> Ross Gardler (@rgardler)
> Programme Leader (Open Development)
> OpenDirective http://opendirective.com
>
--
Ross Gardler (@rgardler)
Programme Leader (Open Development)
OpenDirective http://opendirective.com
Re: Being asked for login to access a proxied URL
Posted by Ross Gardler <rg...@opendirective.com>.
On 30 October 2011 15:18, Scott Wilson <sc...@gmail.com> wrote:
> As you may have noticed from WOOKIE-283 this turned out to be a far worse problem than not getting some twitter updates.
>
> I don't know what the original UC was for including Base64 authz headers, so I've just commented out all the code including them, and disabled the header type from being passed by other means.
>
I can confirm that this has solved the problem from the widget
perspective. Thanks.
> As its a critical security bug I suggest rolling this into the 0.9.1 release and issuing an advisory rather than waiting for 0.9.2.
>
+1
Normally such security concerns would normally be dealt with on the
private list until resolved.
I suggest liaising with security@apache.org for guidance.
Ross
> On 30 Oct 2011, at 14:21, Ross Gardler wrote:
>
>> On 29 October 2011 01:28, Ross Gardler <rg...@opendirective.com> wrote:
>>> Any idea why I'm being asked to login to wookie (via basic
>>> authentication) to access a proxied URL.
>>>
>>> e.g. http://localhost:8080/wookie/proxy?instanceid_key=Mwp1GaQDZoyOOVvjnQ.sl.withW4DE.eq.&url=http://api.twitter.com/1/statuses/show.xml?id=129284508087357440&include_entities=false
>>>
>>> Accessing the URL directly in the browser presents no problem.
>>
>> I can now reproduce this reliably using the item detail template test
>> widget or the browse template test widget:
>>
>> Preparation:
>>
>> - you need a fresh browser on which you have *not* logged into the
>> admin console
>> - deploy the template test widgets: cd widgets/templates; ant
>> generate-test-widgets
>> - visit the "Browse Test Widget"
>> - everything should work fine
>>
>> Reproduce the problem:
>>
>> - log into the wookie admin interface
>> - visit the Browse Test Widget
>> - you will be asked to login
>>
>>> The weather widget (which also makes a proxied request) works fine.
>>
>> This remains the case. I can only assume that this indicates a
>> difference in the interaction styles. The weather widget simply
>> consumes an RSS feed, the twitter widgets consume a REST service.
>>
>> I've raised an issue at https://issues.apache.org/jira/browse/WOOKIE-283
>>
>> Ross
>
>
--
Ross Gardler (@rgardler)
Programme Leader (Open Development)
OpenDirective http://opendirective.com
Re: Being asked for login to access a proxied URL
Posted by Scott Wilson <sc...@gmail.com>.
As you may have noticed from WOOKIE-283 this turned out to be a far worse problem than not getting some twitter updates.
I don't know what the original UC was for including Base64 authz headers, so I've just commented out all the code including them, and disabled the header type from being passed by other means.
As its a critical security bug I suggest rolling this into the 0.9.1 release and issuing an advisory rather than waiting for 0.9.2.
On 30 Oct 2011, at 14:21, Ross Gardler wrote:
> On 29 October 2011 01:28, Ross Gardler <rg...@opendirective.com> wrote:
>> Any idea why I'm being asked to login to wookie (via basic
>> authentication) to access a proxied URL.
>>
>> e.g. http://localhost:8080/wookie/proxy?instanceid_key=Mwp1GaQDZoyOOVvjnQ.sl.withW4DE.eq.&url=http://api.twitter.com/1/statuses/show.xml?id=129284508087357440&include_entities=false
>>
>> Accessing the URL directly in the browser presents no problem.
>
> I can now reproduce this reliably using the item detail template test
> widget or the browse template test widget:
>
> Preparation:
>
> - you need a fresh browser on which you have *not* logged into the
> admin console
> - deploy the template test widgets: cd widgets/templates; ant
> generate-test-widgets
> - visit the "Browse Test Widget"
> - everything should work fine
>
> Reproduce the problem:
>
> - log into the wookie admin interface
> - visit the Browse Test Widget
> - you will be asked to login
>
>> The weather widget (which also makes a proxied request) works fine.
>
> This remains the case. I can only assume that this indicates a
> difference in the interaction styles. The weather widget simply
> consumes an RSS feed, the twitter widgets consume a REST service.
>
> I've raised an issue at https://issues.apache.org/jira/browse/WOOKIE-283
>
> Ross
Re: Being asked for login to access a proxied URL
Posted by Ross Gardler <rg...@opendirective.com>.
On 29 October 2011 01:28, Ross Gardler <rg...@opendirective.com> wrote:
> Any idea why I'm being asked to login to wookie (via basic
> authentication) to access a proxied URL.
>
> e.g. http://localhost:8080/wookie/proxy?instanceid_key=Mwp1GaQDZoyOOVvjnQ.sl.withW4DE.eq.&url=http://api.twitter.com/1/statuses/show.xml?id=129284508087357440&include_entities=false
>
> Accessing the URL directly in the browser presents no problem.
I can now reproduce this reliably using the item detail template test
widget or the browse template test widget:
Preparation:
- you need a fresh browser on which you have *not* logged into the
admin console
- deploy the template test widgets: cd widgets/templates; ant
generate-test-widgets
- visit the "Browse Test Widget"
- everything should work fine
Reproduce the problem:
- log into the wookie admin interface
- visit the Browse Test Widget
- you will be asked to login
> The weather widget (which also makes a proxied request) works fine.
This remains the case. I can only assume that this indicates a
difference in the interaction styles. The weather widget simply
consumes an RSS feed, the twitter widgets consume a REST service.
I've raised an issue at https://issues.apache.org/jira/browse/WOOKIE-283
Ross