In what version did this return a 401? because that sounds like a bug to me.. if you give me the version number, I can have a look
-- Morten Olav Hansen Senior Engineer, DHIS 2 University of Oslo http://www.dhis2.org On Tue, Apr 24, 2018 at 9:38 AM, Morten Olav Hansen <mor...@dhis2.org> wrote: > I'm not sure exactly what you mean Jason, this has been like this always? > Are you saying this behavior has changed? because it should not have. To > make the browser properly redirect to the login page, it needs to send a > 302 to forward it. > > In 2.28 we introduced the X-Requested-With header which tells DHIS2 that > this request is done by XHR (and not a browser), we can't change the > default to 401 as it would break things badly. > > > -- > Morten Olav Hansen > Senior Engineer, DHIS 2 > University of Oslo > http://www.dhis2.org > > On Mon, Apr 23, 2018 at 7:17 PM, Jason Pickering < > jason.p.picker...@gmail.com> wrote: > >> Hi Bob, >> >> Yeah,I am not sure its fine either but what I am trying to get >> information on is what the expected behavior actually should be. Seems it >> should not be this though from what you and Ranga are saying. Just to >> exclude any possible effect from the reverse proxy, its the same against a >> localhost: >> >> * Trying 127.0.0.1... >> * TCP_NODELAY set >> * Connected to localhost (127.0.0.1) port 8080 (#0) >> * Server auth using Basic with user 'admin' >> > GET /api/me HTTP/1.1 >> > Host: localhost:8080 >> > Authorization: Basic YWRtaW46ZGlzdHJpY3Q= >> > User-Agent: curl/7.53.1 >> > Accept: */* >> > >> < HTTP/1.1 302 Found >> < Server: Apache-Coyote/1.1 >> < X-XSS-Protection: 1; mode=block >> < X-Frame-Options: SAMEORIGIN >> < X-Content-Type-Options: nosniff >> < Location: http://localhost/dhis-web-commons/security/login.action >> < Content-Length: 0 >> < Date: Mon, 23 Apr 2018 12:15:22 GMT >> >> >> On Mon, Apr 23, 2018 at 11:36 AM, Bob Jolliffe <bobjolli...@gmail.com> >> wrote: >> >>> Hi Jason >>> >>> I am not sure that this is all fine. It looks to me like this is a >>> bug which has slipped in and that the original 401 response is the >>> correct expected behaviour. API users using pre-emptive basic >>> authentication have no good reason to be redirected to the login page >>> with invalid credentials. >>> >>> Regards >>> Bob >>> >>> On 23 April 2018 at 09:46, Jason Pickering <jason.p.picker...@gmail.com> >>> wrote: >>> > Hi Morten, >>> > >>> > I am going to persist here, as its still not clear to me what has >>> changed in >>> > the API. >>> > >>> > Ranga documents that the API behavior has changed when trying to access >>> > /api/me with basic authentication. It has changed from a 401 to a 302. >>> This >>> > also breaks the API tests >>> > (https://github.com/dhis2/api-tests/blob/master/features/ste >>> p_definitions/authentication.js#L38) >>> > which also expects a 401. This is all fine, but could you provide a >>> bit more >>> > context on the change in behavior and whether this is expected? >>> > >>> > Regards, >>> > Jason >>> > >>> > >>> > >>> > >>> > On Mon, Apr 23, 2018 at 2:53 AM, Morten Olav Hansen <mor...@dhis2.org> >>> > wrote: >>> >> >>> >> Try and set the header "X-Requested-With" to "XMLHttpRequest" >>> >> >>> >> -- >>> >> Morten Olav Hansen >>> >> Senior Engineer, DHIS 2 >>> >> University of Oslo >>> >> http://www.dhis2.org >>> >> >>> >> On Sat, Apr 21, 2018 at 8:19 PM, Rangarirai Matavire < >>> matavi...@gmail.com> >>> >> wrote: >>> >>> >>> >>> Thanks Jason, >>> >>> >>> >>> In addition, if you add the '-L' option to the 2.28 and 2.29 queries >>> as >>> >>> follows: >>> >>> >>> >>> curl -I -L -u admin:distric -H 'Accept: application/json' >>> >>> https://play.dhis2.org/2.29/api/me >>> >>> >>> >>> >>> >>> You get a redirect loop which seems infinite until it terminates in >>> error >>> >>> as follows: >>> >>> >>> >>> HTTP/1.1 302 >>> >>> >>> >>> Server: nginx/1.4.6 (Ubuntu) >>> >>> >>> >>> Date: Sat, 21 Apr 2018 13:13:18 GMT >>> >>> >>> >>> Content-Length: 0 >>> >>> >>> >>> Connection: keep-alive >>> >>> >>> >>> X-XSS-Protection: 1; mode=block >>> >>> >>> >>> X-Frame-Options: SAMEORIGIN >>> >>> >>> >>> X-Content-Type-Options: nosniff >>> >>> >>> >>> Location: >>> >>> https://play.dhis2.org/2.29/dhis-web-commons/security/login.action >>> >>> >>> >>> >>> >>> HTTP/1.1 302 >>> >>> >>> >>> Server: nginx/1.4.6 (Ubuntu) >>> >>> >>> >>> Date: Sat, 21 Apr 2018 13:13:18 GMT >>> >>> >>> >>> Content-Length: 0 >>> >>> >>> >>> Connection: keep-alive >>> >>> >>> >>> X-XSS-Protection: 1; mode=block >>> >>> >>> >>> X-Frame-Options: SAMEORIGIN >>> >>> >>> >>> X-Content-Type-Options: nosniff >>> >>> >>> >>> Location: >>> >>> https://play.dhis2.org/2.29/dhis-web-commons/security/login.action >>> >>> >>> >>> >>> >>> HTTP/1.1 302 >>> >>> >>> >>> Server: nginx/1.4.6 (Ubuntu) >>> >>> >>> >>> Date: Sat, 21 Apr 2018 13:13:18 GMT >>> >>> >>> >>> Content-Length: 0 >>> >>> >>> >>> Connection: keep-alive >>> >>> >>> >>> X-XSS-Protection: 1; mode=block >>> >>> >>> >>> X-Frame-Options: SAMEORIGIN >>> >>> >>> >>> X-Content-Type-Options: nosniff >>> >>> >>> >>> Location: >>> >>> https://play.dhis2.org/2.29/dhis-web-commons/security/login.action >>> >>> >>> >>> >>> >>> HTTP/1.1 302 >>> >>> >>> >>> Server: nginx/1.4.6 (Ubuntu) >>> >>> >>> >>> Date: Sat, 21 Apr 2018 13:13:19 GMT >>> >>> >>> >>> Content-Length: 0 >>> >>> >>> >>> Connection: keep-alive >>> >>> >>> >>> X-XSS-Protection: 1; mode=block >>> >>> >>> >>> X-Frame-Options: SAMEORIGIN >>> >>> >>> >>> X-Content-Type-Options: nosniff >>> >>> >>> >>> Location: >>> >>> https://play.dhis2.org/2.29/dhis-web-commons/security/login.action >>> >>> >>> >>> >>> >>> HTTP/1.1 302 >>> >>> >>> >>> Server: nginx/1.4.6 (Ubuntu) >>> >>> >>> >>> Date: Sat, 21 Apr 2018 13:13:19 GMT >>> >>> >>> >>> Content-Length: 0 >>> >>> >>> >>> Connection: keep-alive >>> >>> >>> >>> X-XSS-Protection: 1; mode=block >>> >>> >>> >>> X-Frame-Options: SAMEORIGIN >>> >>> >>> >>> X-Content-Type-Options: nosniff >>> >>> >>> >>> Location: >>> >>> https://play.dhis2.org/2.29/dhis-web-commons/security/login.action >>> >>> >>> >>> >>> >>> curl: (47) SSLRead() return error -9806 >>> >>> >>> >>> >>> >>> This causes bug in applications that access the api for >>> authentication >>> >>> and I can also see how this can be used to diminish system >>> performance in >>> >>> general. >>> >>> >>> >>> Regards, >>> >>> >>> >>> Ranga >>> >>> >>> >>> On Sat, Apr 21, 2018 at 8:51 AM, Jason Pickering >>> >>> <jason.p.picker...@gmail.com> wrote: >>> >>>> >>> >>>> Just to try and make it a bit more clear Morten, I think this is the >>> >>>> issue Rangarai is asking about is below: >>> >>>> >>> >>>> In 2.29 and 2.28, an unauthorized username/password returns a 302. >>> >>>> >>> >>>> curl -I -u admin:distric -H 'Accept: application/json' >>> >>>> https://play.dhis2.org/2.29/api/me >>> >>>> HTTP/1.1 302 >>> >>>> Server: nginx/1.4.6 (Ubuntu) >>> >>>> Date: Sat, 21 Apr 2018 06:44:10 GMT >>> >>>> Content-Length: 0 >>> >>>> Connection: keep-alive >>> >>>> X-XSS-Protection: 1; mode=block >>> >>>> X-Frame-Options: SAMEORIGIN >>> >>>> X-Content-Type-Options: nosniff >>> >>>> Location: >>> >>>> https://play.dhis2.org/2.29/dhis-web-commons/security/login.action >>> >>>> >>> >>>> >>> >>>> In 2.27, this same request returns a 401. >>> >>>> >>> >>>> curl -I -u admin:distric -H 'Accept: application/json' >>> >>>> https://play.dhis2.org/2.27/api/me >>> >>>> HTTP/1.1 401 >>> >>>> Server: nginx/1.4.6 (Ubuntu) >>> >>>> Date: Sat, 21 Apr 2018 06:44:27 GMT >>> >>>> Content-Type: text/html;charset=utf-8 >>> >>>> Content-Length: 1071 >>> >>>> Connection: keep-alive >>> >>>> X-XSS-Protection: 1; mode=block >>> >>>> X-Frame-Options: SAMEORIGIN >>> >>>> X-Content-Type-Options: nosniff >>> >>>> Set-Cookie: JSESSIONID=05596EBFC26A7C1843D298E98619C7FB; >>> Path=/2.27; >>> >>>> HttpOnly >>> >>>> WWW-Authenticate: Basic realm="DHIS2" >>> >>>> Content-Language: en >>> >>>> >>> >>>> >>> >>>> On Fri, Apr 20, 2018 at 1:40 PM, Rangarirai Matavire >>> >>>> <matavi...@gmail.com> wrote: >>> >>>>> >>> >>>>> Hi Morten, >>> >>>>> >>> >>>>> The password is set wrong deliberately so as to get a 401 or other >>> >>>>> response. The problem is when you set the wrong password or >>> username you get >>> >>>>> endless redirects from the API. >>> >>>>> >>> >>>>> Regards, >>> >>>>> >>> >>>>> >>> >>>>> On Fri, Apr 20, 2018 at 1:24 PM, Morten Olav Hansen < >>> mor...@dhis2.org> >>> >>>>> wrote: >>> >>>>>> >>> >>>>>> It should be district, not distric... but also people keep >>> changing >>> >>>>>> our internal passwords (our database resets every 24 hour) >>> >>>>>> >>> >>>>>> -- >>> >>>>>> Morten Olav Hansen >>> >>>>>> Senior Engineer, DHIS 2 >>> >>>>>> University of Oslo >>> >>>>>> http://www.dhis2.org >>> >>>>>> >>> >>>>>> On Fri, Apr 20, 2018 at 12:09 PM, Rangarirai Matavire >>> >>>>>> <matavi...@gmail.com> wrote: >>> >>>>>>> >>> >>>>>>> By the way, its not just the error response code that is >>> worrying, >>> >>>>>>> but also the loop of redirects that starts, this makes it >>> difficult to >>> >>>>>>> handle the response for an http client. To see this loop of >>> redirects, you >>> >>>>>>> can add -L to curl as below. >>> >>>>>>> >>> >>>>>>> curl -I -L -u admin:distric -H 'Accept: application/json' >>> >>>>>>> https://play.dhis2.org/2.28/api/me >>> >>>>>>> >>> >>>>>>> >>> >>>>>>> I think this behaviour should be corrected as it may lead to >>> >>>>>>> unexpected behaviour of apps. >>> >>>>>>> >>> >>>>>>> Regards >>> >>>>>>> >>> >>>>>>> On Wed, Apr 18, 2018 at 11:10 PM, Rangarirai Matavire >>> >>>>>>> <matavi...@gmail.com> wrote: >>> >>>>>>>> >>> >>>>>>>> Hi Devs, >>> >>>>>>>> >>> >>>>>>>> I am wondering whether the behaviour I am seeing is a bug or >>> >>>>>>>> something to be expected due to some change. >>> >>>>>>>> >>> >>>>>>>> When I run the following curl command: >>> >>>>>>>> >>> >>>>>>>> curl -I -u admin:distric -H 'Accept: application/json' >>> >>>>>>>> https://play.dhis2.org/2.29/api/me >>> >>>>>>>> >>> >>>>>>>> >>> >>>>>>>> I get an HTTP 302 response. Note that I have deliberately set >>> the >>> >>>>>>>> password wrong so I can mock a 401 unauthorized response. I get >>> the same >>> >>>>>>>> response when I run the command on version 2.28. However, as >>> expected, when >>> >>>>>>>> I run it on 2.27, 2.26 etc I get a 401 HTTP response. >>> >>>>>>>> >>> >>>>>>>> I hope someone can assist. >>> >>>>>>>> >>> >>>>>>>> Regards, >>> >>>>>>>> >>> >>>>>>>> Ranga >>> >>>>>>> >>> >>>>>>> >>> >>>>>>> >>> >>>>>>> _______________________________________________ >>> >>>>>>> Mailing list: https://launchpad.net/~dhis2-devs >>> >>>>>>> Post to : dhis2-devs@lists.launchpad.net >>> >>>>>>> Unsubscribe : https://launchpad.net/~dhis2-devs >>> >>>>>>> More help : https://help.launchpad.net/ListHelp >>> >>>>>>> >>> >>>>>> >>> >>>>> >>> >>>>> >>> >>>>> _______________________________________________ >>> >>>>> Mailing list: https://launchpad.net/~dhis2-devs >>> >>>>> Post to : dhis2-devs@lists.launchpad.net >>> >>>>> Unsubscribe : https://launchpad.net/~dhis2-devs >>> >>>>> More help : https://help.launchpad.net/ListHelp >>> >>>>> >>> >>>> >>> >>>> >>> >>>> >>> >>>> -- >>> >>>> Jason P. Pickering >>> >>>> email: jason.p.picker...@gmail.com >>> >>>> tel:+46764147049 >>> >>> >>> >>> >>> >> >>> > >>> > >>> > >>> > -- >>> > Jason P. Pickering >>> > email: jason.p.picker...@gmail.com >>> > tel:+46764147049 >>> > >>> > _______________________________________________ >>> > Mailing list: https://launchpad.net/~dhis2-devs >>> > Post to : dhis2-devs@lists.launchpad.net >>> > Unsubscribe : https://launchpad.net/~dhis2-devs >>> > More help : https://help.launchpad.net/ListHelp >>> > >>> >> >> >> >> -- >> Jason P. Pickering >> email: jason.p.picker...@gmail.com >> tel:+46764147049 >> > >
_______________________________________________ Mailing list: https://launchpad.net/~dhis2-devs Post to : dhis2-devs@lists.launchpad.net Unsubscribe : https://launchpad.net/~dhis2-devs More help : https://help.launchpad.net/ListHelp
