Use only securityContext.isContinue() to decide if SC_UNAUTHORIZED re… #339
Conversation
|
I'll check the behavior with those PRs asap. |
|
👍 |
|
I do confirm proper behavior of empty POST ajax request with this PR
In every case the authentication work properly and empty ajax requests work like a charm. 👍 @AriSuutariST Do you still maintain Waffle-1.7.x branch and if so will you include this PR ? |
|
Support for 1.7 was noted to end after a year as we moved to java 7. However given the nature of the issues, I'm willing to backport fixes if needed. If you are able to use java 7 though and there are no other requests for Java 6 then I'd be inclined not to backport. Sent from Outlook Mobile On Thu, Apr 7, 2016 at 2:02 AM -0700, "Olivier Jaquemet" notifications@github.com wrote: I do confirm proper behavior of empty POST ajax request with this PR
In every case the authentication work properly and empty ajax requests work like a charm. 👍 @AriSuutariST Do you still maintain Waffle-1.7.x branch and if so will you include this PR ? You are receiving this because you are subscribed to this thread. |
|
@hazendaz @AriSuutariST thanks! |
So don't bother to merge in 1.7.x. unless other users request it, thanks for proposing. |
|
I'm merging this. |
|
Actually wait, this needs a CHANGELOG entry too, @OlivierJaquemet. Thanks. While you're at it, try to make those CHANGELOGs look alike, now a bit all over the place, they used to be like so: |
|
@AriSuutariST Think the change log need was from you. If the tomcat variations are pretty much the same, please make it to all the tomcat versions. If it's slightly different, maybe another PR for that since this part is the core. |
|
I made the change for all tomcat versions. However, the change causes troubles in NegotiateAuthenticatorTests.testChallengePost. When I run only that single test, it passes without problems. But when I run all the tests the token sent by this test is accepted right without any extra negotiation (same way as seen with browser also) and the test fails because it expects 401 response & keep-alive header. Maybe something needs to be done to test so it's results are not affected by previous tests. |
|
One potential fix for unit test would be to use "NTLM" security package instead of "Negotiate" in NegotiateAuthenticatorTests.testChallengePost(), as the problem with test occurs only when "Negotiate" package chooses to use Kerberos. |
|
@hazendaz can you please make a call on merging this or not given the note on the test (and hit the merge button if)? I don't want to break everything and I am no longer building this project ;) |
|
@dblock I'll take a closer look at this as soon as I can. Maybe I'll take another crack at getting tests working on appveyor. It certainly would be nicer if we didn't see all green when things are red ;) |
|
I tried to find solution for fixing the tests (other than switching tests from Negotiate to NTLM), but I was unable to find one. Some kind of caching that occurs when Negotiate uses Kerberos should be somehow disabled, otherwise tests affect each others execution. |
|
OK - We should let this sit a while longer then so we can figure out a best way approach at resolving it. I know in the past I put catches in the tests for errors I didn't quite understand. This sort of sounds like a related type issue. Possibly there is something we can do to fix them all. We definitely don't want tests leaking between runs. |
|
@AriSuutariST Is it possible for you to rebase this and possible see if it's any better at this point? I'm close to releasing 1.8.2 and wondering if this is possible to pull in. |
|
Issue appears to only be change log. I restructured it a bit so technically should be easy to resolve. |
|
@hazendaz I'll try to check this today. |
|
When building after rebase, things look different now. It still fails (for me) at But also master branch ends up with same test failure. Maybe someone else could try building this branch to see if it is only me ? |
|
I'll try to build this on another machine and see what I get. I've had better luck on a new laptop I just got and have been getting setup. I'll let you know. |
…sponse is needed.
|
@hazendaz I rebased this again and tried building on another laptop. Unfortunately it results in same error, for this branch and also for master branch. I starting to wonder if there are any requirements currently for tests to pass successfully that my environment is missing (currently W10 laptops that belong to domain) ? |
|
I did cut the cord on 1.8.2 release. I'll have to come back to this. Builds work successfully on two of my machines. The .net fails on one of them. Not sure what the issue is. I'm not part of any domain on either. And the one I've always had issues with either java or .net. After many fixes this year the .net was all that was left failing then my machine crashed and I had to rebuild from scratch so I assumed it would start working...but no go. Anyway, I'll try to take a crack at this later this week or next weekend. Really depends on how much my 3 week vacation impacts me at my day job. I'm back tomorrow :( |
|
Has this been abandoned due to comments in #346? Is this ultimately the fix for #346? I recently tried upgrading 1.7.3 to 1.8.3 and the "IE sends 0 bytes" issue occurs via AJAX whereas this did not occur in 1.7.3. I always thought that #39 resolved the "IE 0 bytes issue" as back in 2012 issue #39 was the reason we upgraded from an earlier version. Is this PR to fix some regression since 2012? Or is it a different issue that just behaves the same? Finally, is there some way I can test this PR without having to build? Anyone can send a waffle-jna.jar with the fix for testing? |
|
@tjstuart This PR would need entirely rebased before any testing. I don't have time right now to get it rebased. You should however be able to check this out in github desktop and run a rebase against it. However, not how sure how much of a merge conflict issue will be resent as a lot has changed from 2016. You might be better just pulling master and building from there then checking to see if the issue still exists. |
|
@hazendaz - Pulled the fix and rebased on top of the waffle-1.8.3 tag. I can confirm that the issue is fixed. Please note that I only tested the jna negotiate filter. |
|
Great! Can you push that back up as a new PR? Also add an entry to change log and I'll merge right away.
Get Outlook for Android<https://aka.ms/ghei36>
…________________________________
From: tjstuart <notifications@github.com>
Sent: Monday, April 2, 2018 10:22:41 PM
To: Waffle/waffle
Cc: Jeremy Landis; Mention
Subject: Re: [Waffle/waffle] Use only securityContext.isContinue() to decide if SC_UNAUTHORIZED re… (#339)
@hazendaz<https://github.com/hazendaz> - Pulled the fix and rebased on top of the waffle-1.8.3 tag. I can confirm that the issue is fixed.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#339 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AA7hoz4tNqH82JXPsLwO0SjUmn-3iDbqks5tktzxgaJpZM4IA7x0>.
|
|
@hazendaz - can do new PR etc. but note that I only tested the NegotiateSecurityFilterProvider, none of the tomcat* changes (although the change appears to be the same across all). |
|
@tjstuart I'm good with that. I was unable to test the issue and it needed the change log. So the fact that you were able to test and confirm is very helpful in applying it. |
|
Merged via #609 |
…sponse is needed. This is needed for SPNEGO situations where browser sends correct authentication information right in the first request. This is different than with NTLM, but this
change works with NTLM also, because isContinue() is true with NTLM if additional negotiation is needed.
This should fix second issue (noticed by @OlivierJaquemet ) in #167.
I have tested this change with Tomcat 8, both with Valve and Filter configurations.
PR #338 is needed before this.
Please test, if it looks ok then I'll make similar changes to tomcat 6/7 code.