brooklyn-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (BROOKLYN-323) Inconsistent logout behavior for Basic Authentication
Date Thu, 02 Mar 2017 09:40:45 GMT

    [ https://issues.apache.org/jira/browse/BROOKLYN-323?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15891936#comment-15891936
] 

ASF GitHub Bot commented on BROOKLYN-323:
-----------------------------------------

GitHub user bostko opened a pull request:

    https://github.com/apache/brooklyn-server/pull/578

    BROOKLYN-323: Logout fixes for karaf distribution

     - Added POST logout call returning html.
       Intermidiate logout step moved from brooklyn-ui
       to Java code in brooklyn-server.
     - disable CSRF protection for logout call
     - Give valid WWW-Authorization header to the client.
       Previously it was just WWW-Authorization: Basic
       Where it has to be WWW-Authorization: Basic realm="something"
     - removed TEMPORARY_REDIRECT step

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/bostko/brooklyn-server logout-api

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/brooklyn-server/pull/578.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #578
    
----
commit fc912466c096cdb4059d8e42f3a3105ed623ee68
Author: Valentin Aitken <bostko@gmail.com>
Date:   2016-08-03T19:56:11Z

    BROOKLYN-323: Logout fixes for karaf distribution
    
     - Added POST logout call returning html.
       Intermidiate logout step moved from brooklyn-ui
       to Java code in brooklyn-server.
     - disable CSRF protection for logout call
     - Give valid WWW-Authorization header to the client.
       Previously it was just WWW-Authorization: Basic
       Where it has to be WWW-Authorization: Basic realm="something"
     - removed TEMPORARY_REDIRECT step

----


> Inconsistent logout behavior for Basic Authentication
> -----------------------------------------------------
>
>                 Key: BROOKLYN-323
>                 URL: https://issues.apache.org/jira/browse/BROOKLYN-323
>             Project: Brooklyn
>          Issue Type: Bug
>    Affects Versions: 0.9.0, 0.10.0, 0.9.1
>         Environment: Firefox, Internet Explorer, Google Chrome
>            Reporter: Valentin Aitken
>             Fix For: 0.10.0
>
>
> Observed behavior:
> When clicking logout browser asks for a password.
> When entering a password browser asks you sequentially to enter username and password.
> How logout should be implemented for Basic Authentication:
> http://stackoverflow.com/questions/233507/how-to-log-out-user-from-web-site-using-basic-authentication
> My explanation for behavior with the current code:
> First to clear out how brooklyn-ui is working and what it does.
> It polls infinitely the brooklyn api to retrieve status for the applications which are
on the dashboard.
> To do that each request has to be authenticated.
> Logout:
> When user click logout, UI fires an ajax call to get a a proper Unauthorized response.
> Current response for the logout request contains Unauthorized response which should invalidate
credentials.
> For Google Chrome it does invalidate the request credentials but it does not reload the
DOM (or the webpage)
> When user try to type username and password to login back again, it is followed by another
username and password prompt. 
> My explanation for this is that login actually appeared from one of the application status
calls rather than the index page and credentials are not populated through the DOM.
> Because of this credentials have to be typed for every single request and  UI is making
status calls infinitely so in other words user have to enter username and password infinitely.
> However for Internet Explorer it behaves differently.
> It just unauthenticate the one Ajax request and from there nothing happens. Deletion
of the session within Internet Explorer doesn't happen and browser stays authenticated.
> My idea for solving those problems is to do a full reload of the web page after deauthenticating.
> so Brooklyn can have only one javascript authentication cycle.
> I will provide a solution which does that in one simple step.
> Calling the /logout API call which returns Unauthorized response and redirect to the
home page. 



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message