You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by Clemens Wyss <cl...@mysign.ch> on 2010/09/14 18:36:02 UTC
[sling explorer] Form based auth with IE to no avail :-(
Sling Explorer does form based authentication, which works fine(*) with FF,
Safari and Chrome. Unfortunately neither on IE6 nor on IE8 it works.
Debugging revealed that the POSTed form data to '/j_security_check'
is equal. Nevertheless if I gather the Sling.getSessionInfo() after
the aforementioned POST on IE I get the anonymous "credentials",
whereas on the other browsers I get the expected credentials.
What could possibly be the reason herefore?
Thx for you help/hints
-- Clemens
RE: [sling explorer] Form based auth with IE to no avail :-(
Posted by Clemens Wyss <cl...@mysign.ch>.
In order to get some more tracking data with fiddler I chnaged the URL from localhost:8080 to my notebook's host name, i.e. cws-lap:8080. Now I get a security warning from IE. Unfortunately I only have a german version and hence only the german warning text:
Die Seite greift auf Informationen aus anderen Daten zu. Dies kann ein Sicherheitproblem darstellen. Möchten Sie den Vorgang fortsetzen?
which more or less translates to:
"The page is accessing information from other data". This could be a security issue. Would you like to proceed?
When I proceed I get a javascript error and the resource tree is not redered. I guess this is another problem (which is nonetheless to be solved, too?)
> -----Original Message-----
> From: Clemens Wyss [mailto:clemensdev@mysign.ch]
> Sent: Tuesday, September 14, 2010 7:22 PM
> To: 'dev@sling.apache.org'
> Subject: RE: [sling explorer] Form based auth with IE to no avail :-(
>
>
> I would if fiddler provided me this data (headers), such as
> firebug does...
>
> > -----Original Message-----
> > From: Eric Norman [mailto:eric.d.norman@gmail.com]
> > Sent: Tuesday, September 14, 2010 6:42 PM
> > To: dev@sling.apache.org
> > Subject: Re: [sling explorer] Form based auth with IE to no
> avail :-(
> >
> >
> > Maybe check if IE is getting/sending the sling cookie on the
> > second request.
> >
> > On Sep 14, 2010 9:36 AM, "Clemens Wyss"
> <cl...@mysign.ch> wrote:
> >
> > Sling Explorer does form based authentication, which works
> > fine(*) with FF,
> > Safari and Chrome. Unfortunately neither on IE6 nor on IE8 it works.
> > Debugging revealed that the POSTed form data to '/j_security_check'
> > is equal. Nevertheless if I gather the Sling.getSessionInfo() after
> > the aforementioned POST on IE I get the anonymous "credentials",
> > whereas on the other browsers I get the expected credentials.
> > What could possibly be the reason herefore?
> >
> > Thx for you help/hints
> > -- Clemens
> >
>
Re: [sling explorer] Form based auth with IE to no avail :-(
Posted by Bertrand Delacretaz <bd...@apache.org>.
On Wed, Sep 15, 2010 at 8:35 AM, Clemens Wyss <cl...@mysign.ch> wrote:
> looks like an IE caching issue.
> If we make the getSessionInfo-URI "unique"
> (i.e. prevent caching) it works:
> ...
> var res=Sling.httpGet(Sling.baseurl+"/system/sling/info.sessionInfo."+new Date().getTime()+".json");
> ...
>
> WDYT?
Sounds reasonable, +1 on this change.
-Bertrand
Re: [sling explorer] Form based auth with IE to no avail :-(
Posted by Bertrand Delacretaz <bd...@apache.org>.
On Wed, Sep 15, 2010 at 9:24 AM, Clemens Wyss <cl...@mysign.ch> wrote:
> From: Bertrand Delacretaz [mailto:bdelacretaz@apache.org]
>>(except duplicated values, why?)
> my (double copy&paste) fault
> --> Cache-Control : private, no-store, no-cache, max-age=0, must-revalidate
>
>> but I'd still add the timestamp
>> parameter as you suggested before
> really?...
Ah - I realize now that I had this backwards, I thought you were
adding headers to the request.
FWIW, I agree with the changes of SLING-1776.
-Bertrand (still jetlagged from recent travel I guess ;-)
Re: [sling explorer] Form based auth with IE to no avail :-(
Posted by Bertrand Delacretaz <bd...@apache.org>.
On Wed, Sep 15, 2010 at 9:24 AM, Clemens Wyss <cl...@mysign.ch> wrote:
>>(except duplicated values, why?)
> my (double copy&paste) fault
> --> Cache-Control : private, no-store, no-cache, max-age=0, must-revalidate
>
>> but I'd still add the timestamp
>> parameter as you suggested before
> really?
I'm a pragmatic guy...it's quicker to add that and be safe than test
on every browser ;-)
But if it works without it for your use cases, all the better.
-Bertrand
Re: [sling explorer] Form based auth with IE to no avail :-(
Posted by Carsten Ziegeler <cz...@apache.org>.
Bertrand Delacretaz wrote
> On Wed, Sep 15, 2010 at 8:47 AM, Clemens Wyss <cl...@mysign.ch> wrote:
>> after a f2f discussion with mike I see reason that
>> we'd better add the appropriate cache header to
>> /system/sling/info.sessionInfo, appropriate being:
>>
>> Cache-Control : private, no-store, no-cache, max-age=0, must-revalidate, private, no-store, no-cache, max-age=0, must-revalidate
>
> Looks like the clean solution (except duplicated values, why?), but
> I'd still add the timestamp parameter as you suggested before, just to
> be on the safe side with broken browsers.
>
I really think we should go with the headers.
Carsten
--
Carsten Ziegeler
cziegeler@apache.org
RE: [sling explorer] Form based auth with IE to no avail :-(
Posted by Clemens Wyss <cl...@mysign.ch>.
jira issue -> https://issues.apache.org/jira/browse/SLING-1776
> -----Original Message-----
> From: Clemens Wyss [mailto:clemensdev@mysign.ch]
> Sent: Wednesday, September 15, 2010 9:24 AM
> To: 'dev@sling.apache.org'
> Subject: RE: [sling explorer] Form based auth with IE to no avail :-(
>
>
> >(except duplicated values, why?)
> my (double copy&paste) fault
> --> Cache-Control : private, no-store, no-cache, max-age=0,
> must-revalidate
>
> > but I'd still add the timestamp
> > parameter as you suggested before
> really?
>
>
> > -----Original Message-----
> > From: Bertrand Delacretaz [mailto:bdelacretaz@apache.org]
> > Sent: Wednesday, September 15, 2010 9:16 AM
> > To: dev@sling.apache.org
> > Subject: Re: [sling explorer] Form based auth with IE to no
> avail :-(
> >
> >
> > On Wed, Sep 15, 2010 at 8:47 AM, Clemens Wyss
> > <cl...@mysign.ch> wrote:
> > > after a f2f discussion with mike I see reason that
> > > we'd better add the appropriate cache header to
> > > /system/sling/info.sessionInfo, appropriate being:
> > >
> > > Cache-Control : private, no-store, no-cache, max-age=0,
> > must-revalidate, private, no-store, no-cache, max-age=0,
> > must-revalidate
> >
> > Looks like the clean solution (except duplicated values, why?), but
> > I'd still add the timestamp parameter as you suggested
> before, just to
> > be on the safe side with broken browsers.
> >
> > -Bertrand
> >
>
RE: [sling explorer] Form based auth with IE to no avail :-(
Posted by Clemens Wyss <cl...@mysign.ch>.
>(except duplicated values, why?)
my (double copy&paste) fault
--> Cache-Control : private, no-store, no-cache, max-age=0, must-revalidate
> but I'd still add the timestamp
> parameter as you suggested before
really?
> -----Original Message-----
> From: Bertrand Delacretaz [mailto:bdelacretaz@apache.org]
> Sent: Wednesday, September 15, 2010 9:16 AM
> To: dev@sling.apache.org
> Subject: Re: [sling explorer] Form based auth with IE to no avail :-(
>
>
> On Wed, Sep 15, 2010 at 8:47 AM, Clemens Wyss
> <cl...@mysign.ch> wrote:
> > after a f2f discussion with mike I see reason that
> > we'd better add the appropriate cache header to
> > /system/sling/info.sessionInfo, appropriate being:
> >
> > Cache-Control : private, no-store, no-cache, max-age=0,
> must-revalidate, private, no-store, no-cache, max-age=0,
> must-revalidate
>
> Looks like the clean solution (except duplicated values, why?), but
> I'd still add the timestamp parameter as you suggested before, just to
> be on the safe side with broken browsers.
>
> -Bertrand
>
Re: [sling explorer] Form based auth with IE to no avail :-(
Posted by Bertrand Delacretaz <bd...@apache.org>.
On Wed, Sep 15, 2010 at 8:47 AM, Clemens Wyss <cl...@mysign.ch> wrote:
> after a f2f discussion with mike I see reason that
> we'd better add the appropriate cache header to
> /system/sling/info.sessionInfo, appropriate being:
>
> Cache-Control : private, no-store, no-cache, max-age=0, must-revalidate, private, no-store, no-cache, max-age=0, must-revalidate
Looks like the clean solution (except duplicated values, why?), but
I'd still add the timestamp parameter as you suggested before, just to
be on the safe side with broken browsers.
-Bertrand
RE: [sling explorer] Form based auth with IE to no avail :-(
Posted by Clemens Wyss <cl...@mysign.ch>.
after a f2f discussion with mike I see reason that
we'd better add the appropriate cache header to
/system/sling/info.sessionInfo, appropriate being:
Cache-Control : private, no-store, no-cache, max-age=0, must-revalidate, private, no-store, no-cache, max-age=0, must-revalidate
WDYT?
> -----Original Message-----
> From: Clemens Wyss [mailto:clemensdev@mysign.ch]
> Sent: Wednesday, September 15, 2010 8:35 AM
> To: 'dev@sling.apache.org'
> Subject: RE: [sling explorer] Form based auth with IE to no avail :-(
>
>
> looks like an IE caching issue.
> If we make the getSessionInfo-URI "unique"
> (i.e. prevent caching) it works:
> ...
> var
> res=Sling.httpGet(Sling.baseurl+"/system/sling/info.sessionInf
> o."+new Date().getTime()+".json");
> ...
>
> WDYT?
>
> > -----Original Message-----
> > From: Clemens Wyss [mailto:clemensdev@mysign.ch]
> > Sent: Wednesday, September 15, 2010 8:10 AM
> > To: 'dev@sling.apache.org'
> > Subject: RE: [sling explorer] Form based auth with IE to no
> avail :-(
> >
> >
> > conclusion:
> > in IE the clientside/javascript Sling.getSessionInfo() is not always
> > executed (i.e. the http GET call to
> > /system/sling/info.sessionInfo.json)!
> >
> > Place the attached test.html on the root and
> >
> > a) open it with FF inspecting the two
> > /system/sling/info.sessionInfo.json-calls
> > in firebug (or fiddler)
> >
> > b) open it (don't forget the '.' ;-), ie
> > http://localhost.:8080/test.html )
> > in IE inspecting the (non existent)
> > /system/sling/info.sessionInfo.json-calls
> > in fiddler
> >
> > "not always" is fuzzy, I know, but I really haven't found the
> > pattern of IE.
> >
> > jira issue?
> >
> > > -----Original Message-----
> > > From: Clemens Wyss [mailto:clemensdev@mysign.ch]
> > > Sent: Wednesday, September 15, 2010 7:39 AM
> > > To: 'dev@sling.apache.org'
> > > Subject: RE: [sling explorer] Form based auth with IE to no
> > avail :-(
> > >
> > >
> > > > I would if fiddler provided me this data (headers), such as
> > > > firebug does...
> > > -->
> > > http://weblogs.asp.net/lorenh/archive/2008/01/10/tip-for-using
> > -fiddler-on-localhost.aspx
> > the '.' does it!, OMG
> >
> > I can now proceed debugging the IE traces...
> >
> > > -----Original Message-----
> > > From: Clemens Wyss [mailto:clemensdev@mysign.ch]
> > > Sent: Tuesday, September 14, 2010 7:22 PM
> > > To: 'dev@sling.apache.org'
> > > Subject: RE: [sling explorer] Form based auth with IE to no
> > avail :-(
> > >
> > >
> > > I would if fiddler provided me this data (headers), such as
> > > firebug does...
> > >
> > > > -----Original Message-----
> > > > From: Eric Norman [mailto:eric.d.norman@gmail.com]
> > > > Sent: Tuesday, September 14, 2010 6:42 PM
> > > > To: dev@sling.apache.org
> > > > Subject: Re: [sling explorer] Form based auth with IE to no
> > > avail :-(
> > > >
> > > >
> > > > Maybe check if IE is getting/sending the sling cookie on the
> > > > second request.
> > > >
> > > > On Sep 14, 2010 9:36 AM, "Clemens Wyss"
> > > <cl...@mysign.ch> wrote:
> > > >
> > > > Sling Explorer does form based authentication, which works
> > > > fine(*) with FF,
> > > > Safari and Chrome. Unfortunately neither on IE6 nor on
> > IE8 it works.
> > > > Debugging revealed that the POSTed form data to
> > '/j_security_check'
> > > > is equal. Nevertheless if I gather the
> > Sling.getSessionInfo() after
> > > > the aforementioned POST on IE I get the anonymous "credentials",
> > > > whereas on the other browsers I get the expected credentials.
> > > > What could possibly be the reason herefore?
> > > >
> > > > Thx for you help/hints
> > > > -- Clemens
> > > >
> > >
> >
>
RE: [sling explorer] Form based auth with IE to no avail :-(
Posted by Clemens Wyss <cl...@mysign.ch>.
looks like an IE caching issue.
If we make the getSessionInfo-URI "unique"
(i.e. prevent caching) it works:
...
var res=Sling.httpGet(Sling.baseurl+"/system/sling/info.sessionInfo."+new Date().getTime()+".json");
...
WDYT?
> -----Original Message-----
> From: Clemens Wyss [mailto:clemensdev@mysign.ch]
> Sent: Wednesday, September 15, 2010 8:10 AM
> To: 'dev@sling.apache.org'
> Subject: RE: [sling explorer] Form based auth with IE to no avail :-(
>
>
> conclusion:
> in IE the clientside/javascript Sling.getSessionInfo() is not always
> executed (i.e. the http GET call to
> /system/sling/info.sessionInfo.json)!
>
> Place the attached test.html on the root and
>
> a) open it with FF inspecting the two
> /system/sling/info.sessionInfo.json-calls
> in firebug (or fiddler)
>
> b) open it (don't forget the '.' ;-), ie
> http://localhost.:8080/test.html )
> in IE inspecting the (non existent)
> /system/sling/info.sessionInfo.json-calls
> in fiddler
>
> "not always" is fuzzy, I know, but I really haven't found the
> pattern of IE.
>
> jira issue?
>
> > -----Original Message-----
> > From: Clemens Wyss [mailto:clemensdev@mysign.ch]
> > Sent: Wednesday, September 15, 2010 7:39 AM
> > To: 'dev@sling.apache.org'
> > Subject: RE: [sling explorer] Form based auth with IE to no
> avail :-(
> >
> >
> > > I would if fiddler provided me this data (headers), such as
> > > firebug does...
> > -->
> > http://weblogs.asp.net/lorenh/archive/2008/01/10/tip-for-using
> -fiddler-on-localhost.aspx
> the '.' does it!, OMG
>
> I can now proceed debugging the IE traces...
>
> > -----Original Message-----
> > From: Clemens Wyss [mailto:clemensdev@mysign.ch]
> > Sent: Tuesday, September 14, 2010 7:22 PM
> > To: 'dev@sling.apache.org'
> > Subject: RE: [sling explorer] Form based auth with IE to no
> avail :-(
> >
> >
> > I would if fiddler provided me this data (headers), such as
> > firebug does...
> >
> > > -----Original Message-----
> > > From: Eric Norman [mailto:eric.d.norman@gmail.com]
> > > Sent: Tuesday, September 14, 2010 6:42 PM
> > > To: dev@sling.apache.org
> > > Subject: Re: [sling explorer] Form based auth with IE to no
> > avail :-(
> > >
> > >
> > > Maybe check if IE is getting/sending the sling cookie on the
> > > second request.
> > >
> > > On Sep 14, 2010 9:36 AM, "Clemens Wyss"
> > <cl...@mysign.ch> wrote:
> > >
> > > Sling Explorer does form based authentication, which works
> > > fine(*) with FF,
> > > Safari and Chrome. Unfortunately neither on IE6 nor on
> IE8 it works.
> > > Debugging revealed that the POSTed form data to
> '/j_security_check'
> > > is equal. Nevertheless if I gather the
> Sling.getSessionInfo() after
> > > the aforementioned POST on IE I get the anonymous "credentials",
> > > whereas on the other browsers I get the expected credentials.
> > > What could possibly be the reason herefore?
> > >
> > > Thx for you help/hints
> > > -- Clemens
> > >
> >
>
RE: [sling explorer] Form based auth with IE to no avail :-(
Posted by Clemens Wyss <cl...@mysign.ch>.
conclusion:
in IE the clientside/javascript Sling.getSessionInfo() is not always
executed (i.e. the http GET call to /system/sling/info.sessionInfo.json)!
Place the attached test.html on the root and
a) open it with FF inspecting the two /system/sling/info.sessionInfo.json-calls
in firebug (or fiddler)
b) open it (don't forget the '.' ;-), ie http://localhost.:8080/test.html )
in IE inspecting the (non existent) /system/sling/info.sessionInfo.json-calls
in fiddler
"not always" is fuzzy, I know, but I really haven't found the pattern of IE.
jira issue?
> -----Original Message-----
> From: Clemens Wyss [mailto:clemensdev@mysign.ch]
> Sent: Wednesday, September 15, 2010 7:39 AM
> To: 'dev@sling.apache.org'
> Subject: RE: [sling explorer] Form based auth with IE to no avail :-(
>
>
> > I would if fiddler provided me this data (headers), such as
> > firebug does...
> -->
> http://weblogs.asp.net/lorenh/archive/2008/01/10/tip-for-using
-fiddler-on-localhost.aspx
the '.' does it!, OMG
I can now proceed debugging the IE traces...
> -----Original Message-----
> From: Clemens Wyss [mailto:clemensdev@mysign.ch]
> Sent: Tuesday, September 14, 2010 7:22 PM
> To: 'dev@sling.apache.org'
> Subject: RE: [sling explorer] Form based auth with IE to no avail :-(
>
>
> I would if fiddler provided me this data (headers), such as
> firebug does...
>
> > -----Original Message-----
> > From: Eric Norman [mailto:eric.d.norman@gmail.com]
> > Sent: Tuesday, September 14, 2010 6:42 PM
> > To: dev@sling.apache.org
> > Subject: Re: [sling explorer] Form based auth with IE to no
> avail :-(
> >
> >
> > Maybe check if IE is getting/sending the sling cookie on the
> > second request.
> >
> > On Sep 14, 2010 9:36 AM, "Clemens Wyss"
> <cl...@mysign.ch> wrote:
> >
> > Sling Explorer does form based authentication, which works
> > fine(*) with FF,
> > Safari and Chrome. Unfortunately neither on IE6 nor on IE8 it works.
> > Debugging revealed that the POSTed form data to '/j_security_check'
> > is equal. Nevertheless if I gather the Sling.getSessionInfo() after
> > the aforementioned POST on IE I get the anonymous "credentials",
> > whereas on the other browsers I get the expected credentials.
> > What could possibly be the reason herefore?
> >
> > Thx for you help/hints
> > -- Clemens
> >
>
RE: [sling explorer] Form based auth with IE to no avail :-(
Posted by Clemens Wyss <cl...@mysign.ch>.
> I would if fiddler provided me this data (headers), such as
> firebug does...
--> http://weblogs.asp.net/lorenh/archive/2008/01/10/tip-for-using-fiddler-on-localhost.aspx
the '.' does it!, OMG
I can now proceed debugging the IE traces...
> -----Original Message-----
> From: Clemens Wyss [mailto:clemensdev@mysign.ch]
> Sent: Tuesday, September 14, 2010 7:22 PM
> To: 'dev@sling.apache.org'
> Subject: RE: [sling explorer] Form based auth with IE to no avail :-(
>
>
> I would if fiddler provided me this data (headers), such as
> firebug does...
>
> > -----Original Message-----
> > From: Eric Norman [mailto:eric.d.norman@gmail.com]
> > Sent: Tuesday, September 14, 2010 6:42 PM
> > To: dev@sling.apache.org
> > Subject: Re: [sling explorer] Form based auth with IE to no
> avail :-(
> >
> >
> > Maybe check if IE is getting/sending the sling cookie on the
> > second request.
> >
> > On Sep 14, 2010 9:36 AM, "Clemens Wyss"
> <cl...@mysign.ch> wrote:
> >
> > Sling Explorer does form based authentication, which works
> > fine(*) with FF,
> > Safari and Chrome. Unfortunately neither on IE6 nor on IE8 it works.
> > Debugging revealed that the POSTed form data to '/j_security_check'
> > is equal. Nevertheless if I gather the Sling.getSessionInfo() after
> > the aforementioned POST on IE I get the anonymous "credentials",
> > whereas on the other browsers I get the expected credentials.
> > What could possibly be the reason herefore?
> >
> > Thx for you help/hints
> > -- Clemens
> >
>
RE: [sling explorer] Form based auth with IE to no avail :-(
Posted by Clemens Wyss <cl...@mysign.ch>.
I would if fiddler provided me this data (headers), such as firebug does...
> -----Original Message-----
> From: Eric Norman [mailto:eric.d.norman@gmail.com]
> Sent: Tuesday, September 14, 2010 6:42 PM
> To: dev@sling.apache.org
> Subject: Re: [sling explorer] Form based auth with IE to no avail :-(
>
>
> Maybe check if IE is getting/sending the sling cookie on the
> second request.
>
> On Sep 14, 2010 9:36 AM, "Clemens Wyss" <cl...@mysign.ch> wrote:
>
> Sling Explorer does form based authentication, which works
> fine(*) with FF,
> Safari and Chrome. Unfortunately neither on IE6 nor on IE8 it works.
> Debugging revealed that the POSTed form data to '/j_security_check'
> is equal. Nevertheless if I gather the Sling.getSessionInfo() after
> the aforementioned POST on IE I get the anonymous "credentials",
> whereas on the other browsers I get the expected credentials.
> What could possibly be the reason herefore?
>
> Thx for you help/hints
> -- Clemens
>
Re: [sling explorer] Form based auth with IE to no avail :-(
Posted by Eric Norman <er...@gmail.com>.
Maybe check if IE is getting/sending the sling cookie on the second request.
On Sep 14, 2010 9:36 AM, "Clemens Wyss" <cl...@mysign.ch> wrote:
Sling Explorer does form based authentication, which works fine(*) with FF,
Safari and Chrome. Unfortunately neither on IE6 nor on IE8 it works.
Debugging revealed that the POSTed form data to '/j_security_check'
is equal. Nevertheless if I gather the Sling.getSessionInfo() after
the aforementioned POST on IE I get the anonymous "credentials",
whereas on the other browsers I get the expected credentials.
What could possibly be the reason herefore?
Thx for you help/hints
-- Clemens