stormpath-sdk-java icon indicating copy to clipboard operation
stormpath-sdk-java copied to clipboard

Published 20 hours ago verified publisher icon stormpath

`/me` endpoint 401 challenges different between servlet and spring-mvc

Open bdemers opened this issue 9 years ago • 0 comments

The 401 challenge for the /me endpoint differs between servlet and spring-mvc integrations

For Spring-MVC the 401 is set directly from the MeController

This causes a few problems:

  1. If Bearer auth is disable, a spring-mvc app would likely still challenge with 'Bearer'
  2. The 'spring-boot-webmvc-angular' example (and possibly clients) currently calls /me, changing the behavior to include a 'Basic' challenge. will cause browser popups.
  3. As mentioned above the angularjs example cannot be ported directly to a regular servlet based application (without change)

Spring.io has a tutorial, and mentions setting X-Requested-With in order for the server NOT to respond with a WWW-Authenticate header.

NOTE: Fixing the tutorial could be as simple as adding a check to NOT call /me unless the user is authenticated, I mentioned this above to indicate a potential change in behavior

Work around: Setting stormpath.web.uris./me = anon in a servlet app makes it behave like the spring-mvc example (which is likely still wrong, but I figured I'd point it out)

Curl examples below:

spring-mvc example:

[bdemers@computer spring-mvc]$ curl localhost:8080/me -v
*   Trying ::1...
* Connected to localhost (::1) port 8080 (#0)
> GET /me HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.49.1
> Accept: */*
> 
< HTTP/1.1 401 Unauthorized
< Date: Wed, 26 Oct 2016 19:42:53 GMT
< Cache-Control: no-store, no-cache
< Pragma: no-cache
< Content-Type: application/json
< WWW-Authenticate: Bearer realm="My Application"
< Content-Length: 0

servlet example:

[bdemers@computer servlet]$ curl localhost:8080/me -v
*   Trying ::1...
* Connected to localhost (::1) port 8080 (#0)
> GET /me HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.49.1
> Accept: */*
> 
< HTTP/1.1 401 Unauthorized
< Date: Wed, 26 Oct 2016 19:41:09 GMT
< Cache-Control: no-store, no-cache
< Pragma: no-cache
< WWW-Authenticate: Basic realm="My Application"
< WWW-Authenticate: Bearer realm="My Application"
< Content-Length: 0
<

bdemers avatar Oct 26 '16 20:10 bdemers