Possible bug in the latest httpauthfilter for CP2.2.x

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Possible bug in the latest httpauthfilter for CP2.2.x

Venkat Bommakanti

Hi Sylvain, et al...

I've been using the latest version in:
   http://trac.defuze.org/browser/oss/httpauthfilter
under TurboGears 1.0b1 (TG) to provide Digest/Basic
Auth services.

I first noticed this under TG. I had setup TG/CP (prod.cfg)
to serve static content from:
   /root-of-tg-app/tgapp/prod.cfg
   /root-of-tg-app/tgapp/start-tgapp.py
   /root-of-tg-app/tgapp/tgapp/static/*.html
   /root-of-tg-app/tgapp/tgapp/static/css/*.css
etc., with (static-dir settings in prod.cfg):
   [global]
   static_filter.root = "/root-of-tg-app/tgapp/tgapp"
   [/static]
   static_filter.on = True
   static_filter.root = "static"
   ......

Under the typical usage of:
   . valid login
   . valid homepage accessed, etc
everything works as expected. However if do the following:
   . Launch say, Firefox 2 and clear the cache
   . Access http://localhost:8080/ (home)
   . And click on the Cancel button twice (max tries),
     access is denied.
   . Now if I enter the url to a valid resouce under /static
     like say,
         "http://ocalhost:8080/static/css/style.css
     it does cause the browser to throw up the login popup
     twice (after Cancels).
   . But now, if refresh the page with that url still in the
     address bar, it throws the login box twice, but after
     the last Cacel-click, it actually displays the resource
     (style.css in this case)

So, it appears Digest/Basic  Auth is failing on static
content after repeated login cancellations. There is
no problem with dynamic content off Root controller.

This can be reproduced with the "examplehttpauth.py"
also by doing the following:
   . Place the needed httpauth*.py files in your
       ...lib/python2.4/site-packages
   . place:
       <curr-dir>/examplehttpauth.py
   . create a folder structure with file like:
       <curr-dir>/static/style.css
   . Run:
       <curr-dir>/python examplehttpauth.py
   . Launch the browser and follow the steps listed above.
     style.css will be served even after login failure.

Thanks for looking into it.
Happy hols, all.

/venkat


--~--~---------~--~----~------------~-------~--~----~
 You received this message because you are subscribed to the Google Groups "cherrypy-users" group.
To post to this group, send email to [hidden email]
To unsubscribe from this group, send email to [hidden email]
For more options, visit this group at http://groups-beta.google.com/group/cherrypy-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply | Threaded
Open this post in threaded view
|

Re: Possible bug in the latest httpauthfilter for CP2.2.x

Sylvain Hellegouarch

I will look at it next week. Thanks for the report.

- Sylvain

venkatbo wrote:

>
> Hi Sylvain, et al...
>
> I've been using the latest version in:
>   http://trac.defuze.org/browser/oss/httpauthfilter
> under TurboGears 1.0b1 (TG) to provide Digest/Basic
> Auth services.
>
> I first noticed this under TG. I had setup TG/CP (prod.cfg)
> to serve static content from:
>   /root-of-tg-app/tgapp/prod.cfg
>   /root-of-tg-app/tgapp/start-tgapp.py
>   /root-of-tg-app/tgapp/tgapp/static/*.html
>   /root-of-tg-app/tgapp/tgapp/static/css/*.css
> etc., with (static-dir settings in prod.cfg):
>   [global]
>   static_filter.root = "/root-of-tg-app/tgapp/tgapp"
>   [/static]
>   static_filter.on = True
>   static_filter.root = "static"
>   ......
>
> Under the typical usage of:
>   . valid login
>   . valid homepage accessed, etc
> everything works as expected. However if do the following:
>   . Launch say, Firefox 2 and clear the cache
>   . Access http://localhost:8080/ (home)
>   . And click on the Cancel button twice (max tries),
>     access is denied.
>   . Now if I enter the url to a valid resouce under /static
>     like say,
>         "http://ocalhost:8080/static/css/style.css
>     it does cause the browser to throw up the login popup
>     twice (after Cancels).
>   . But now, if refresh the page with that url still in the
>     address bar, it throws the login box twice, but after
>     the last Cacel-click, it actually displays the resource
>     (style.css in this case)
>
> So, it appears Digest/Basic  Auth is failing on static
> content after repeated login cancellations. There is
> no problem with dynamic content off Root controller.
>
> This can be reproduced with the "examplehttpauth.py"
> also by doing the following:
>   . Place the needed httpauth*.py files in your
>       ...lib/python2.4/site-packages
>   . place:
>       <curr-dir>/examplehttpauth.py
>   . create a folder structure with file like:
>       <curr-dir>/static/style.css
>   . Run:
>       <curr-dir>/python examplehttpauth.py
>   . Launch the browser and follow the steps listed above.
>     style.css will be served even after login failure.
>
> Thanks for looking into it.
> Happy hols, all.
>
> /venkat
>
>
>

--~--~---------~--~----~------------~-------~--~----~
 You received this message because you are subscribed to the Google Groups "cherrypy-users" group.
To post to this group, send email to [hidden email]
To unsubscribe from this group, send email to [hidden email]
For more options, visit this group at http://groups-beta.google.com/group/cherrypy-users?hl=en
-~----------~----~----~----~------~----~------~--~---