You are here: Foswiki>Tasks Web>Item10566 (17 Dec 2011, GeorgeClark)Edit Attach

Item10566: ApacheLogin throws 403 instead of 401 to unauthenticated users with rest, viewfile, rdiff and compare scripts

pencil
Priority: Normal
Current State: Closed
Released In: 1.1.4
Target Release: patch
Applies To: Engine
Component: ApacheLogin, LoginManager
Branches:
Reported By: PaulHarvey
Waiting For: PaulHarvey
Last Change By: GeorgeClark
Nobody else has complained. Let's merge over in 1.1.4.

Problem: an unauthenticated user accesses a rest script. rest is not in {AuthScripts}. The rest script tries to access a protected resource; an access control exception is thrown. UI::Rest tries to ask the LoginManager to force authentication. But ApacheLogin does this by looking for a restauth script in the SwitchBoard, which doesn't exist. So ApacheLogin fails to catch the exception in a way that results in an 401 unauthorised exchange with the http client. Instead, Foswiki::UI assumes access to the resource is denied. The client gets 403 Forbidden, and remains unauthenticated.

-- PaulHarvey - 29 Mar 2011

Solution: added restauth to our bin scripts.

-- PaulHarvey - 29 Mar 2011

Clarification: this problem only occurs if apache isn't configured to require valid-user on the rest script

-- PaulHarvey - 29 Mar 2011

Extending this bug to cover other scripts that are missing an *auth version (such as viewfile)

-- PaulHarvey - 29 Mar 2011

Cool. Just recently discussed viewfileauth with a client coming to the same solution.

-- MichaelDaum - 30 Mar 2011

Should we include with 1.1.3?

-- PaulHarvey - 30 Mar 2011

Nope. Let's do it in 1.1.4.

-- PaulHarvey - 30 Mar 2011

Done

-- PaulHarvey - 30 Apr 2011

Remove & from Summary so that RSS works again

-- GeorgeClark - 30 Apr 2011

Done

-- PaulHarvey - 30 Apr 2011
 

ItemTemplate edit

Summary ApacheLogin throws 403 instead of 401 to unauthenticated users with rest, viewfile, rdiff and compare scripts
ReportedBy PaulHarvey
Codebase 1.1.3, 1.1.3 RC1, 1.1.3 beta1, 1.1.2, 1.1.1, 1.1.0, 1.1.0 beta1, trunk
SVN Range
AppliesTo Engine
Component ApacheLogin, LoginManager
Priority Normal
CurrentState Closed
WaitingFor PaulHarvey
Checkins distro:9d279a95ecf0 distro:77cb9973c7be distro:551957d15ebc distro:d48f3c5224a0 distro:f9581feedb3a distro:f57e73fe9165 distro:383b0de0fe21 distro:efb3a04fe553
TargetRelease patch
ReleasedIn 1.1.4
Topic revision: r20 - 17 Dec 2011, GeorgeClark
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy