Item10566: ApacheLogin throws 403 instead of 401 to unauthenticated users with rest, viewfile, rdiff and compare scripts
Priority: Normal
Current State: Closed
Released In: 1.1.4
Target Release: patch
Nobody else has complained. Let's merge over in 1.1.4.
Problem: an unauthenticated user accesses a rest script.
rest
is not in
{AuthScripts}
. The rest script tries to access a protected resource; an access control exception is thrown.
UI::Rest
tries to ask the
LoginManager to force authentication. But
ApacheLogin does this by looking for a
restauth
script in the SwitchBoard, which doesn't exist. So
ApacheLogin fails to catch the exception in a way that results in an 401 unauthorised exchange with the http client. Instead,
Foswiki::UI
assumes access to the resource is denied. The client gets 403 Forbidden, and remains unauthenticated.
--
PaulHarvey - 29 Mar 2011
Solution: added
restauth
to our bin scripts.
--
PaulHarvey - 29 Mar 2011
Clarification: this problem only occurs if apache isn't configured to require valid-user on the rest script
--
PaulHarvey - 29 Mar 2011
Extending this bug to cover other scripts that are missing an *auth version (such as viewfile)
--
PaulHarvey - 29 Mar 2011
Cool. Just recently discussed viewfileauth with a client coming to the same solution.
--
MichaelDaum - 30 Mar 2011
Should we include with 1.1.3?
--
PaulHarvey - 30 Mar 2011
Nope. Let's do it in 1.1.4.
--
PaulHarvey - 30 Mar 2011
Done
--
PaulHarvey - 30 Apr 2011
Remove & from Summary so that RSS works again
--
GeorgeClark - 30 Apr 2011
Done
--
PaulHarvey - 30 Apr 2011