You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Jason Rose (JIRA)" <ji...@apache.org> on 2010/03/08 22:57:27 UTC
[jira] Created: (SLING-1428) Failed Form Auth via AJAX Does not
Return Status 403
Failed Form Auth via AJAX Does not Return Status 403
----------------------------------------------------
Key: SLING-1428
URL: https://issues.apache.org/jira/browse/SLING-1428
Project: Sling
Issue Type: Bug
Reporter: Jason Rose
Posting:
j_username=<some gibberish>
j_password=<some gibberish>
j_validate=true
Returns status 200 and the HTML for the auth page. Looking at the sessionInfo.json shows me that I'm authenticated as anonymous, as intended, but the docs say I should have received a status code 403.
Authenticating as a known user does indeed work as intended.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SLING-1428) Failed Form Auth via AJAX Does not
Return Status 403
Posted by "Justin Edelson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-1428?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12913613#action_12913613 ]
Justin Edelson commented on SLING-1428:
---------------------------------------
This now appears to be caused by inclusion of the selector auth bundle. If you remove that bundle, this is no longer reproduceable.
> Failed Form Auth via AJAX Does not Return Status 403
> ----------------------------------------------------
>
> Key: SLING-1428
> URL: https://issues.apache.org/jira/browse/SLING-1428
> Project: Sling
> Issue Type: Bug
> Components: Authentication
> Reporter: Jason Rose
>
> Posting:
> j_username=<some gibberish>
> j_password=<some gibberish>
> j_validate=true
> Returns status 200 and the HTML for the auth page. Looking at the sessionInfo.json shows me that I'm authenticated as anonymous, as intended, but the docs say I should have received a status code 403.
> Authenticating as a known user does indeed work as intended.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SLING-1428) Failed Form Auth via AJAX Does not
Return Status 403
Posted by "Justin Edelson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-1428?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Justin Edelson updated SLING-1428:
----------------------------------
Component/s: Authentication
(was: Extensions)
> Failed Form Auth via AJAX Does not Return Status 403
> ----------------------------------------------------
>
> Key: SLING-1428
> URL: https://issues.apache.org/jira/browse/SLING-1428
> Project: Sling
> Issue Type: Bug
> Components: Authentication
> Reporter: Jason Rose
>
> Posting:
> j_username=<some gibberish>
> j_password=<some gibberish>
> j_validate=true
> Returns status 200 and the HTML for the auth page. Looking at the sessionInfo.json shows me that I'm authenticated as anonymous, as intended, but the docs say I should have received a status code 403.
> Authenticating as a known user does indeed work as intended.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SLING-1428) Failed Form Auth via AJAX Does not
Return Status 403
Posted by "Carsten Ziegeler (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-1428?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Carsten Ziegeler updated SLING-1428:
------------------------------------
Component/s: Extensions
> Failed Form Auth via AJAX Does not Return Status 403
> ----------------------------------------------------
>
> Key: SLING-1428
> URL: https://issues.apache.org/jira/browse/SLING-1428
> Project: Sling
> Issue Type: Bug
> Components: Extensions
> Reporter: Jason Rose
>
> Posting:
> j_username=<some gibberish>
> j_password=<some gibberish>
> j_validate=true
> Returns status 200 and the HTML for the auth page. Looking at the sessionInfo.json shows me that I'm authenticated as anonymous, as intended, but the docs say I should have received a status code 403.
> Authenticating as a known user does indeed work as intended.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SLING-1428) Failed Form Auth via AJAX Does not
Return Status 403
Posted by "Felix Meschberger (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-1428?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12914039#action_12914039 ]
Felix Meschberger commented on SLING-1428:
------------------------------------------
Actually, the commit for the SlingAuthenticator was also missing. Done now in Rev. 1000472.
> Failed Form Auth via AJAX Does not Return Status 403
> ----------------------------------------------------
>
> Key: SLING-1428
> URL: https://issues.apache.org/jira/browse/SLING-1428
> Project: Sling
> Issue Type: Bug
> Components: Authentication
> Affects Versions: Form Based Authentication 1.0.0
> Reporter: Jason Rose
> Assignee: Felix Meschberger
> Fix For: Form Based Authentication 1.0.2, Auth Core 1.0.4
>
>
> Posting:
> j_username=<some gibberish>
> j_password=<some gibberish>
> j_validate=true
> Returns status 200 and the HTML for the auth page. Looking at the sessionInfo.json shows me that I'm authenticated as anonymous, as intended, but the docs say I should have received a status code 403.
> Authenticating as a known user does indeed work as intended.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SLING-1428) Failed Form Auth via AJAX Does not
Return Status 403
Posted by "Felix Meschberger (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-1428?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12914388#action_12914388 ]
Felix Meschberger commented on SLING-1428:
------------------------------------------
Reconsidering this, I think the "j_validate" functionality would be a nice functionality to be added to the Sling Authenticator for use by all authentication handlers.
So here is my proposal for handling the j_validate request parameter:
* If extractCredentials returns AUTH_FAIL and j_validate is set, a 403 is returned with the X-Reason header
* During getResolver:
- if resolver is acquired: call feedback handler and return 200
- if resolver not acquired: call feedback handler and return 403 with X-Reason header
> Failed Form Auth via AJAX Does not Return Status 403
> ----------------------------------------------------
>
> Key: SLING-1428
> URL: https://issues.apache.org/jira/browse/SLING-1428
> Project: Sling
> Issue Type: Bug
> Components: Authentication
> Affects Versions: Form Based Authentication 1.0.0
> Reporter: Jason Rose
> Assignee: Felix Meschberger
> Fix For: Form Based Authentication 1.0.2, Auth Core 1.0.4
>
>
> Posting:
> j_username=<some gibberish>
> j_password=<some gibberish>
> j_validate=true
> Returns status 200 and the HTML for the auth page. Looking at the sessionInfo.json shows me that I'm authenticated as anonymous, as intended, but the docs say I should have received a status code 403.
> Authenticating as a known user does indeed work as intended.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SLING-1428) Failed Form Auth via AJAX Does not
Return Status 403
Posted by "Justin Edelson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-1428?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12914451#action_12914451 ]
Justin Edelson commented on SLING-1428:
---------------------------------------
> Reconsidering this, I think the "j_validate" functionality would be a nice functionality to be added to the Sling Authenticator for use by all authentication handlers.
+1
> Failed Form Auth via AJAX Does not Return Status 403
> ----------------------------------------------------
>
> Key: SLING-1428
> URL: https://issues.apache.org/jira/browse/SLING-1428
> Project: Sling
> Issue Type: Bug
> Components: Authentication
> Affects Versions: Form Based Authentication 1.0.0
> Reporter: Jason Rose
> Assignee: Felix Meschberger
> Fix For: Form Based Authentication 1.0.2, Auth Core 1.0.4
>
>
> Posting:
> j_username=<some gibberish>
> j_password=<some gibberish>
> j_validate=true
> Returns status 200 and the HTML for the auth page. Looking at the sessionInfo.json shows me that I'm authenticated as anonymous, as intended, but the docs say I should have received a status code 403.
> Authenticating as a known user does indeed work as intended.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (SLING-1428) Failed Form Auth via AJAX Does not
Return Status 403
Posted by "Felix Meschberger (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-1428?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Felix Meschberger resolved SLING-1428.
--------------------------------------
Fix Version/s: (was: Form Based Authentication 1.0.2)
Resolution: Fixed
Added integration tests from http://codereview.appspot.com/2252043 in Rev. 1001058.
> Failed Form Auth via AJAX Does not Return Status 403
> ----------------------------------------------------
>
> Key: SLING-1428
> URL: https://issues.apache.org/jira/browse/SLING-1428
> Project: Sling
> Issue Type: Bug
> Components: Authentication
> Affects Versions: Form Based Authentication 1.0.0
> Reporter: Jason Rose
> Assignee: Felix Meschberger
> Fix For: Auth Core 1.0.4
>
>
> Posting:
> j_username=<some gibberish>
> j_password=<some gibberish>
> j_validate=true
> Returns status 200 and the HTML for the auth page. Looking at the sessionInfo.json shows me that I'm authenticated as anonymous, as intended, but the docs say I should have received a status code 403.
> Authenticating as a known user does indeed work as intended.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SLING-1428) Failed Form Auth via AJAX Does not
Return Status 403
Posted by "Felix Meschberger (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-1428?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12913794#action_12913794 ]
Felix Meschberger commented on SLING-1428:
------------------------------------------
Taking over to fix as proposed by Justin Edelson in http://codereview.appspot.com/2252043
> Failed Form Auth via AJAX Does not Return Status 403
> ----------------------------------------------------
>
> Key: SLING-1428
> URL: https://issues.apache.org/jira/browse/SLING-1428
> Project: Sling
> Issue Type: Bug
> Components: Authentication
> Reporter: Jason Rose
> Assignee: Felix Meschberger
>
> Posting:
> j_username=<some gibberish>
> j_password=<some gibberish>
> j_validate=true
> Returns status 200 and the HTML for the auth page. Looking at the sessionInfo.json shows me that I'm authenticated as anonymous, as intended, but the docs say I should have received a status code 403.
> Authenticating as a known user does indeed work as intended.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SLING-1428) Failed Form Auth via AJAX Does not
Return Status 403
Posted by "Felix Meschberger (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-1428?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Felix Meschberger updated SLING-1428:
-------------------------------------
Affects Version/s: Form Based Authentication 1.0.0
> Failed Form Auth via AJAX Does not Return Status 403
> ----------------------------------------------------
>
> Key: SLING-1428
> URL: https://issues.apache.org/jira/browse/SLING-1428
> Project: Sling
> Issue Type: Bug
> Components: Authentication
> Affects Versions: Form Based Authentication 1.0.0
> Reporter: Jason Rose
> Assignee: Felix Meschberger
> Fix For: Form Based Authentication 1.0.2, Auth Core 1.0.4
>
>
> Posting:
> j_username=<some gibberish>
> j_password=<some gibberish>
> j_validate=true
> Returns status 200 and the HTML for the auth page. Looking at the sessionInfo.json shows me that I'm authenticated as anonymous, as intended, but the docs say I should have received a status code 403.
> Authenticating as a known user does indeed work as intended.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Reopened: (SLING-1428) Failed Form Auth via AJAX Does not
Return Status 403
Posted by "Felix Meschberger (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-1428?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Felix Meschberger reopened SLING-1428:
--------------------------------------
Oops, missed to added the integration test from the patch ...
> Failed Form Auth via AJAX Does not Return Status 403
> ----------------------------------------------------
>
> Key: SLING-1428
> URL: https://issues.apache.org/jira/browse/SLING-1428
> Project: Sling
> Issue Type: Bug
> Components: Authentication
> Affects Versions: Form Based Authentication 1.0.0
> Reporter: Jason Rose
> Assignee: Felix Meschberger
> Fix For: Form Based Authentication 1.0.2, Auth Core 1.0.4
>
>
> Posting:
> j_username=<some gibberish>
> j_password=<some gibberish>
> j_validate=true
> Returns status 200 and the HTML for the auth page. Looking at the sessionInfo.json shows me that I'm authenticated as anonymous, as intended, but the docs say I should have received a status code 403.
> Authenticating as a known user does indeed work as intended.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SLING-1428) Failed Form Auth via AJAX Does not
Return Status 403
Posted by "Felix Meschberger (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-1428?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Felix Meschberger updated SLING-1428:
-------------------------------------
Fix Version/s: Form Based Authentication 1.0.2
> Failed Form Auth via AJAX Does not Return Status 403
> ----------------------------------------------------
>
> Key: SLING-1428
> URL: https://issues.apache.org/jira/browse/SLING-1428
> Project: Sling
> Issue Type: Bug
> Components: Authentication
> Affects Versions: Form Based Authentication 1.0.0
> Reporter: Jason Rose
> Assignee: Felix Meschberger
> Fix For: Form Based Authentication 1.0.2, Auth Core 1.0.4
>
>
> Posting:
> j_username=<some gibberish>
> j_password=<some gibberish>
> j_validate=true
> Returns status 200 and the HTML for the auth page. Looking at the sessionInfo.json shows me that I'm authenticated as anonymous, as intended, but the docs say I should have received a status code 403.
> Authenticating as a known user does indeed work as intended.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SLING-1428) Failed Form Auth via AJAX Does not
Return Status 403
Posted by "Felix Meschberger (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-1428?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12914622#action_12914622 ]
Felix Meschberger commented on SLING-1428:
------------------------------------------
Committed a generalized version of the functionality in Rev. 1001053.
Now, the j_validate request parameter is supported by the SlingAuthenticator as follows:
* If authentication succeeds, the request is terminated immediately with 200/OK (after calling the optional feedback handler)
* If authentication fails, the request is terminated immediately with 403/FORBIDDEN (after calling the optional feedback handler)
* If the extractCredentials method returns AUTH_FAIL and j_validate is set, the request is also terminated with 403/FORBIDDEN
(without calling any feedback handler)
> Failed Form Auth via AJAX Does not Return Status 403
> ----------------------------------------------------
>
> Key: SLING-1428
> URL: https://issues.apache.org/jira/browse/SLING-1428
> Project: Sling
> Issue Type: Bug
> Components: Authentication
> Affects Versions: Form Based Authentication 1.0.0
> Reporter: Jason Rose
> Assignee: Felix Meschberger
> Fix For: Form Based Authentication 1.0.2, Auth Core 1.0.4
>
>
> Posting:
> j_username=<some gibberish>
> j_password=<some gibberish>
> j_validate=true
> Returns status 200 and the HTML for the auth page. Looking at the sessionInfo.json shows me that I'm authenticated as anonymous, as intended, but the docs say I should have received a status code 403.
> Authenticating as a known user does indeed work as intended.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Assigned: (SLING-1428) Failed Form Auth via AJAX Does not
Return Status 403
Posted by "Felix Meschberger (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-1428?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Felix Meschberger reassigned SLING-1428:
----------------------------------------
Assignee: Felix Meschberger
> Failed Form Auth via AJAX Does not Return Status 403
> ----------------------------------------------------
>
> Key: SLING-1428
> URL: https://issues.apache.org/jira/browse/SLING-1428
> Project: Sling
> Issue Type: Bug
> Components: Authentication
> Reporter: Jason Rose
> Assignee: Felix Meschberger
>
> Posting:
> j_username=<some gibberish>
> j_password=<some gibberish>
> j_validate=true
> Returns status 200 and the HTML for the auth page. Looking at the sessionInfo.json shows me that I'm authenticated as anonymous, as intended, but the docs say I should have received a status code 403.
> Authenticating as a known user does indeed work as intended.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (SLING-1428) Failed Form Auth via AJAX Does not
Return Status 403
Posted by "Felix Meschberger (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-1428?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Felix Meschberger resolved SLING-1428.
--------------------------------------
Fix Version/s: Form Based Authentication 1.0.2
Auth Core 1.0.4
Resolution: Fixed
Implemented an extended version of the proposed patch in Rev. 1000462:
Send a 403 response if either the provided cookie value is invalid or if the provided user name and password cannot be used to login. Created methods to actually send back the success or failure responses for validation requests.
Some small extension to the SlingAuthenticator.getResolver() method: Don't further process if the AuthenticationFeedbackHandler.authenticationFailed method commits the response (as is done with support for 403 response for a validation check).
> Failed Form Auth via AJAX Does not Return Status 403
> ----------------------------------------------------
>
> Key: SLING-1428
> URL: https://issues.apache.org/jira/browse/SLING-1428
> Project: Sling
> Issue Type: Bug
> Components: Authentication
> Affects Versions: Form Based Authentication 1.0.0
> Reporter: Jason Rose
> Assignee: Felix Meschberger
> Fix For: Form Based Authentication 1.0.2, Auth Core 1.0.4
>
>
> Posting:
> j_username=<some gibberish>
> j_password=<some gibberish>
> j_validate=true
> Returns status 200 and the HTML for the auth page. Looking at the sessionInfo.json shows me that I'm authenticated as anonymous, as intended, but the docs say I should have received a status code 403.
> Authenticating as a known user does indeed work as intended.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.