349185 – [client] Problems after setting Basic as auth type

Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 349185 - [client] Problems after setting Basic as auth type

Summary: [client] Problems after setting Basic as auth type

Status:	RESOLVED FIXED

Alias:	None

Product:	Orion
Classification:	ECD
Component:	Client (show other bugs)
Version:	0.2
Hardware:	PC Windows XP

Importance:	P3 normal (vote)
Target Milestone:	0.3 M2
Assignee:	Szymon Brandys
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2011-06-13 08:47 EDT by Tomasz Zarna
Modified:	2011-08-23 11:55 EDT (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tomasz Zarna

2011-06-13 08:47:19 EDT

I start Orion with Basic auth setup[1], because I often talk to the server using curl. However, when having the Orion server up and running I go to the browser I'm seeing couple of issue there:
* console: GET on http://localhost:8080/auth2 returns 404
* There is no info about the current user, even though I've provided valid creds. Obviously there is no "Log out" action, but that's expected for Basic auth.
* console: "Error: Load timeout for plugin: http://localhost:8080/profile/userservicePlugin.html", not sure if this is related

[1] -Dorion.tests.authtype=Basic

Comment 1 Tomasz Zarna

2011-06-24 05:47:38 EDT

(In reply to comment #0)
> * console: "Error: Load timeout for plugin: http://localhost:8080/profile/userservicePlugin.html"

Filed a separate bug for this, bug 349930.

Comment 2 Malgorzata Janczarska

2011-07-13 08:43:01 EDT

The problem is in general that our Basic authentication bundle does not really work with our profile client. For every other authentication type for 401 error server returns some javascript code that is eval'ed. This code is used to perform authentication, set the authentication data and renew the call.
And this is how it works with Basic Auth:
1. We make unauthenticated request
2. Server returns 401 with header indicated that we need a Basic Auth
3. Browser asks for credentials and renews the call including credentials
4. Browser remembers credentials and includes them next time
The problem is that although most of the browser stores credentials in point 4. the standard is that Basic authentication is stateless. So in fact there's no such a thing as "being logged in". You need to re-send your credentials with every request.
Because point 3. is made by the browser without notifying the client it's hard to detect that your have logged in now. Besides it's dependent on browser settings. Your credentials might have as well been stored.

Generally problem is big and requires separate implementation.

Comment 3 Tomasz Zarna

2011-07-14 05:00:48 EDT

I know how Basic authentication works, I just wonder if we can get rid of the ugly 404. Are we able to check the WWW-Authenticate header and not attempt to go to http://localhost:8080/auth2 when dealing with Basic?

Comment 4 Malgorzata Janczarska

2011-07-14 05:39:09 EDT

(In reply to comment #3)
> I know how Basic authentication works, I just wonder if we can get rid of the
> ugly 404. Are we able to check the WWW-Authenticate header and not attempt to
> go to http://localhost:8080/auth2 when dealing with Basic?
We can get rid of 404, but it will solve only some of the problems.

Comment 5 Szymon Brandys

2011-08-22 09:52:27 EDT

With the latest changes in the code:
- we don't make calls to /auth2 at all
- the info about the user is also added for Basic authentication

Tomek can we close this one?

Comment 6 Tomasz Zarna

2011-08-23 11:55:06 EDT

(In reply to comment #5)
> Tomek can we close this one?

Yup, it's fixed with changes from bug 353702. Thx.