Item10566: ApacheLogin throws 403 instead of 401 to unauthenticated users with rest, viewfile, rdiff and compare scripts

Priority: CurrentState: AppliesTo: Component: WaitingFor:
Normal Closed Engine ApacheLogin, LoginManager PaulHarvey
Nobody else has complained. Let's merge over in 1.1.4.

Problem: an unauthenticated user accesses a rest script. rest is not in {AuthScripts}. The rest script tries to access a protected resource; an access control exception is thrown. UI::Rest tries to ask the LoginManager to force authentication. But ApacheLogin does this by looking for a restauth script in the SwitchBoard, which doesn't exist. So ApacheLogin fails to catch the exception in a way that results in an 401 unauthorised exchange with the http client. Instead, Foswiki::UI assumes access to the resource is denied. The client gets 403 Forbidden, and remains unauthenticated.

-- PaulHarvey - 29 Mar 2011

Solution: added restauth to our bin scripts.

-- PaulHarvey - 29 Mar 2011

Clarification: this problem only occurs if apache isn't configured to require valid-user on the rest script

-- PaulHarvey - 29 Mar 2011

Extending this bug to cover other scripts that are missing an *auth version (such as viewfile)

-- PaulHarvey - 29 Mar 2011

Cool. Just recently discussed viewfileauth with a client coming to the same solution.

-- MichaelDaum - 30 Mar 2011

Should we include with 1.1.3?

-- PaulHarvey - 30 Mar 2011

Nope. Let's do it in 1.1.4.

-- PaulHarvey - 30 Mar 2011

Done

-- PaulHarvey - 30 Apr 2011

Remove & from Summary so that RSS works again

-- GeorgeClark - 30 Apr 2011

Done

-- PaulHarvey - 30 Apr 2011
 

ItemTemplate edit

Summary ApacheLogin throws 403 instead of 401 to unauthenticated users with rest, viewfile, rdiff and compare scripts
ReportedBy PaulHarvey
Codebase 1.1.3, 1.1.3 RC1, 1.1.3 beta1, 1.1.2, 1.1.1, 1.1.0, 1.1.0 beta1, trunk
SVN Range
AppliesTo Engine
Component ApacheLogin, LoginManager
Priority Normal
CurrentState Closed
WaitingFor PaulHarvey
Checkins Foswikirev:11263 Foswikirev:11264 Foswikirev:11343 Foswikirev:11344 Foswikirev:11585 Foswikirev:11591 Foswikirev:11592 Foswikirev:11593
TargetRelease patch
ReleasedIn 1.1.4
Topic revision: r20 - 17 Dec 2011, GeorgeClark
 
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. see CopyrightStatement. Creative Commons License