couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Benjamin Young (JIRA)" <j...@apache.org>
Subject [jira] Updated: (COUCHDB-972) Unauthorized requests with(out) Accept: */* get different status codes
Date Wed, 01 Dec 2010 16:15:12 GMT

     [ https://issues.apache.org/jira/browse/COUCHDB-972?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Benjamin Young updated COUCHDB-972:
-----------------------------------

    Description: 
Sending a GET request for any URL of private/secured database without an Accept header set
returns a 302 Found status which redirects to the Futon's login page.

Sending a GET request with an Accept: */* (which is conceptually the same) returns a 401 (as
does setting Accept to anything else: application/json, etc).

The 401 code is the prefered response, but the 302 is in use to load the HTML/JS-based login
forms in Futon.

The options I can see to fix this are:
1. Return 302 if Accept is set to */*, but return 401 for application/json (and possibly anything
more specific).
2. Return 401 and load the Futon login page/system as the response body--some browsers/clients
may still load the HTTP Auth form in addition to the HTML one in the body of the page.
3. Return 401 and let the browsers HTTP Auth form handle the login process.

  was:
Sending a GET request without an Accept header set returns a 302 Found status which redirects
to the Futon's login page.

Sending a GET request with an Accept: */* (which is conceptually the same) returns a 401 (as
does setting Accept to anything else: application/json, etc).

The 401 code is the prefered response, but the 302 is in use to load the HTML/JS-based login
forms in Futon.

The options I can see to fix this are:
1. Return 302 if Accept is set to */*, but return 401 for application/json (and possibly anything
more specific).
2. Return 401 and load the Futon login page/system as the response body--some browsers/clients
may still load the HTTP Auth form in addition to the HTML one in the body of the page.
3. Return 401 and let the browsers HTTP Auth form handle the login process.


> Unauthorized requests with(out) Accept: */* get different status codes
> ----------------------------------------------------------------------
>
>                 Key: COUCHDB-972
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-972
>             Project: CouchDB
>          Issue Type: Bug
>          Components: Futon, HTTP Interface
>    Affects Versions: 1.0.1
>            Reporter: Benjamin Young
>            Priority: Minor
>
> Sending a GET request for any URL of private/secured database without an Accept header
set returns a 302 Found status which redirects to the Futon's login page.
> Sending a GET request with an Accept: */* (which is conceptually the same) returns a
401 (as does setting Accept to anything else: application/json, etc).
> The 401 code is the prefered response, but the 302 is in use to load the HTML/JS-based
login forms in Futon.
> The options I can see to fix this are:
> 1. Return 302 if Accept is set to */*, but return 401 for application/json (and possibly
anything more specific).
> 2. Return 401 and load the Futon login page/system as the response body--some browsers/clients
may still load the HTTP Auth form in addition to the HTML one in the body of the page.
> 3. Return 401 and let the browsers HTTP Auth form handle the login process.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message