Thanks Jason, In addition, if you add the '-L' option to the 2.28 and 2.29 queries as follows:
curl -I -L -u admin:distric -H 'Accept: application/json' https://play.dhis2.org/2.29/api/me You get a redirect loop which seems infinite until it terminates in error as follows: HTTP/1.1 302 Server: nginx/1.4.6 (Ubuntu) Date: Sat, 21 Apr 2018 13:13:18 GMT Content-Length: 0 Connection: keep-alive X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Location: https://play.dhis2.org/2.29/dhis-web-commons/security/login.action HTTP/1.1 302 Server: nginx/1.4.6 (Ubuntu) Date: Sat, 21 Apr 2018 13:13:18 GMT Content-Length: 0 Connection: keep-alive X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Location: https://play.dhis2.org/2.29/dhis-web-commons/security/login.action HTTP/1.1 302 Server: nginx/1.4.6 (Ubuntu) Date: Sat, 21 Apr 2018 13:13:18 GMT Content-Length: 0 Connection: keep-alive X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Location: https://play.dhis2.org/2.29/dhis-web-commons/security/login.action HTTP/1.1 302 Server: nginx/1.4.6 (Ubuntu) Date: Sat, 21 Apr 2018 13:13:19 GMT Content-Length: 0 Connection: keep-alive X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Location: https://play.dhis2.org/2.29/dhis-web-commons/security/login.action HTTP/1.1 302 Server: nginx/1.4.6 (Ubuntu) Date: Sat, 21 Apr 2018 13:13:19 GMT Content-Length: 0 Connection: keep-alive X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Location: https://play.dhis2.org/2.29/dhis-web-commons/security/login.action curl: (47) SSLRead() return error -9806 This causes bug in applications that access the api for authentication and I can also see how this can be used to diminish system performance in general. Regards, Ranga On Sat, Apr 21, 2018 at 8:51 AM, Jason Pickering < jason.p.picker...@gmail.com> wrote: > Just to try and make it a bit more clear Morten, I think this is the issue > Rangarai is asking about is below: > > In 2.29 and 2.28, an unauthorized username/password returns a 302. > > curl -I -u admin:distric -H 'Accept: application/json' > https://play.dhis2.org/2.29/api/me > HTTP/1.1 302 > Server: nginx/1.4.6 (Ubuntu) > Date: Sat, 21 Apr 2018 06:44:10 GMT > Content-Length: 0 > Connection: keep-alive > X-XSS-Protection: 1; mode=block > X-Frame-Options: SAMEORIGIN > X-Content-Type-Options: nosniff > Location: https://play.dhis2.org/2.29/dhis-web-commons/security/ > login.action > > > In 2.27, this same request returns a 401. > > curl -I -u admin:distric -H 'Accept: application/json' > https://play.dhis2.org/2.27/api/me > HTTP/1.1 401 > Server: nginx/1.4.6 (Ubuntu) > Date: Sat, 21 Apr 2018 06:44:27 GMT > Content-Type: text/html;charset=utf-8 > Content-Length: 1071 > Connection: keep-alive > X-XSS-Protection: 1; mode=block > X-Frame-Options: SAMEORIGIN > X-Content-Type-Options: nosniff > Set-Cookie: JSESSIONID=05596EBFC26A7C1843D298E98619C7FB; Path=/2.27; > HttpOnly > WWW-Authenticate: Basic realm="DHIS2" > Content-Language: en > > > On Fri, Apr 20, 2018 at 1:40 PM, Rangarirai Matavire <matavi...@gmail.com> > wrote: > >> Hi Morten, >> >> The password is set wrong deliberately so as to get a 401 or other >> response. The problem is when you set the wrong password or username you >> get endless redirects from the API. >> >> Regards, >> >> >> On Fri, Apr 20, 2018 at 1:24 PM, Morten Olav Hansen <mor...@dhis2.org> >> wrote: >> >>> It should be district, not distric... but also people keep changing our >>> internal passwords (our database resets every 24 hour) >>> >>> -- >>> Morten Olav Hansen >>> Senior Engineer, DHIS 2 >>> University of Oslo >>> http://www.dhis2.org >>> >>> On Fri, Apr 20, 2018 at 12:09 PM, Rangarirai Matavire < >>> matavi...@gmail.com> wrote: >>> >>>> By the way, its not just the error response code that is worrying, but >>>> also the loop of redirects that starts, this makes it difficult to handle >>>> the response for an http client. To see this loop of redirects, you can add >>>> -L to curl as below. >>>> >>>> curl -I -L -u admin:distric -H 'Accept: application/json' >>>> https://play.dhis2.org/2.28/api/me >>>> >>>> I think this behaviour should be corrected as it may lead to unexpected >>>> behaviour of apps. >>>> >>>> Regards >>>> >>>> On Wed, Apr 18, 2018 at 11:10 PM, Rangarirai Matavire < >>>> matavi...@gmail.com> wrote: >>>> >>>>> Hi Devs, >>>>> >>>>> I am wondering whether the behaviour I am seeing is a bug or something >>>>> to be expected due to some change. >>>>> >>>>> When I run the following curl command: >>>>> >>>>> curl -I -u admin:distric -H 'Accept: application/json' >>>>> https://play.dhis2.org/2.29/api/me >>>>> >>>>> I get an HTTP 302 response. Note that I have deliberately set the >>>>> password wrong so I can mock a 401 unauthorized response. I get the same >>>>> response when I run the command on version 2.28. However, as expected, >>>>> when >>>>> I run it on 2.27, 2.26 etc I get a 401 HTTP response. >>>>> >>>>> I hope someone can assist. >>>>> >>>>> Regards, >>>>> >>>>> Ranga >>>>> >>>> >>>> >>>> _______________________________________________ >>>> Mailing list: https://launchpad.net/~dhis2-devs >>>> Post to : dhis2-devs@lists.launchpad.net >>>> Unsubscribe : https://launchpad.net/~dhis2-devs >>>> More help : https://help.launchpad.net/ListHelp >>>> >>>> >>> >> >> _______________________________________________ >> Mailing list: https://launchpad.net/~dhis2-devs >> Post to : dhis2-devs@lists.launchpad.net >> Unsubscribe : https://launchpad.net/~dhis2-devs >> More help : https://help.launchpad.net/ListHelp >> >> > > > -- > Jason P. Pickering > email: jason.p.picker...@gmail.com > tel:+46764147049 >
_______________________________________________ Mailing list: https://launchpad.net/~dhis2-devs Post to : dhis2-devs@lists.launchpad.net Unsubscribe : https://launchpad.net/~dhis2-devs More help : https://help.launchpad.net/ListHelp
