Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 349185

Summary: [client] Problems after setting Basic as auth type
Product: [ECD] Orion Reporter: Tomasz Zarna <tomasz.zarna>
Component: ClientAssignee: Szymon Brandys <Szymon.Brandys>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: P3 CC: malgorzata.tomczyk, simon_kaegi
Version: 0.2   
Target Milestone: 0.3 M2   
Hardware: PC   
OS: Windows XP   
Whiteboard:

Description Tomasz Zarna CLA 2011-06-13 08:47:19 EDT 
I start Orion with Basic auth setup[1], because I often talk to the server using curl. However, when having the Orion server up and running I go to the browser I'm seeing couple of issue there:
* console: GET on http://localhost:8080/auth2 returns 404
* There is no info about the current user, even though I've provided valid creds. Obviously there is no "Log out" action, but that's expected for Basic auth.
* console: "Error: Load timeout for plugin: http://localhost:8080/profile/userservicePlugin.html", not sure if this is related

[1] -Dorion.tests.authtype=Basic
Comment 1 Tomasz Zarna CLA 2011-06-24 05:47:38 EDT 
(In reply to comment #0)
> * console: "Error: Load timeout for plugin: http://localhost:8080/profile/userservicePlugin.html"

Filed a separate bug for this, bug 349930.
Comment 2 Malgorzata Janczarska CLA 2011-07-13 08:43:01 EDT 
The problem is in general that our Basic authentication bundle does not really work with our profile client. For every other authentication type for 401 error server returns some javascript code that is eval'ed. This code is used to perform authentication, set the authentication data and renew the call.
And this is how it works with Basic Auth:
1. We make unauthenticated request
2. Server returns 401 with header indicated that we need a Basic Auth
3. Browser asks for credentials and renews the call including credentials
4. Browser remembers credentials and includes them next time
The problem is that although most of the browser stores credentials in point 4. the standard is that Basic authentication is stateless. So in fact there's no such a thing as "being logged in". You need to re-send your credentials with every request.
Because point 3. is made by the browser without notifying the client it's hard to detect that your have logged in now. Besides it's dependent on browser settings. Your credentials might have as well been stored.

Generally problem is big and requires separate implementation.
Comment 3 Tomasz Zarna CLA 2011-07-14 05:00:48 EDT 
I know how Basic authentication works, I just wonder if we can get rid of the ugly 404. Are we able to check the WWW-Authenticate header and not attempt to go to http://localhost:8080/auth2 when dealing with Basic?
Comment 4 Malgorzata Janczarska CLA 2011-07-14 05:39:09 EDT 
(In reply to comment #3)
> I know how Basic authentication works, I just wonder if we can get rid of the
> ugly 404. Are we able to check the WWW-Authenticate header and not attempt to
> go to http://localhost:8080/auth2 when dealing with Basic?
We can get rid of 404, but it will solve only some of the problems.
Comment 5 Szymon Brandys CLA 2011-08-22 09:52:27 EDT 
With the latest changes in the code:
- we don't make calls to /auth2 at all
- the info about the user is also added for Basic authentication

Tomek can we close this one?
Comment 6 Tomasz Zarna CLA 2011-08-23 11:55:06 EDT 
(In reply to comment #5)
> Tomek can we close this one?

Yup, it's fixed with changes from bug 353702. Thx.