[ 
https://issues.apache.org/jira/browse/BROOKLYN-323?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15891936#comment-15891936
 ] 

ASF GitHub Bot commented on BROOKLYN-323:
-----------------------------------------

GitHub user bostko opened a pull request:

    https://github.com/apache/brooklyn-server/pull/578

    BROOKLYN-323: Logout fixes for karaf distribution

     - Added POST logout call returning html.
       Intermidiate logout step moved from brooklyn-ui
       to Java code in brooklyn-server.
     - disable CSRF protection for logout call
     - Give valid WWW-Authorization header to the client.
       Previously it was just WWW-Authorization: Basic
       Where it has to be WWW-Authorization: Basic realm="something"
     - removed TEMPORARY_REDIRECT step

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/bostko/brooklyn-server logout-api

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/brooklyn-server/pull/578.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #578
    
----
commit fc912466c096cdb4059d8e42f3a3105ed623ee68
Author: Valentin Aitken <[email protected]>
Date:   2016-08-03T19:56:11Z

    BROOKLYN-323: Logout fixes for karaf distribution
    
     - Added POST logout call returning html.
       Intermidiate logout step moved from brooklyn-ui
       to Java code in brooklyn-server.
     - disable CSRF protection for logout call
     - Give valid WWW-Authorization header to the client.
       Previously it was just WWW-Authorization: Basic
       Where it has to be WWW-Authorization: Basic realm="something"
     - removed TEMPORARY_REDIRECT step

----


> Inconsistent logout behavior for Basic Authentication
> -----------------------------------------------------
>
>                 Key: BROOKLYN-323
>                 URL: https://issues.apache.org/jira/browse/BROOKLYN-323
>             Project: Brooklyn
>          Issue Type: Bug
>    Affects Versions: 0.9.0, 0.10.0, 0.9.1
>         Environment: Firefox, Internet Explorer, Google Chrome
>            Reporter: Valentin Aitken
>             Fix For: 0.10.0
>
>
> Observed behavior:
> When clicking logout browser asks for a password.
> When entering a password browser asks you sequentially to enter username and 
> password.
> How logout should be implemented for Basic Authentication:
> http://stackoverflow.com/questions/233507/how-to-log-out-user-from-web-site-using-basic-authentication
> My explanation for behavior with the current code:
> First to clear out how brooklyn-ui is working and what it does.
> It polls infinitely the brooklyn api to retrieve status for the applications 
> which are on the dashboard.
> To do that each request has to be authenticated.
> Logout:
> When user click logout, UI fires an ajax call to get a a proper Unauthorized 
> response.
> Current response for the logout request contains Unauthorized response which 
> should invalidate credentials.
> For Google Chrome it does invalidate the request credentials but it does not 
> reload the DOM (or the webpage)
> When user try to type username and password to login back again, it is 
> followed by another username and password prompt. 
> My explanation for this is that login actually appeared from one of the 
> application status calls rather than the index page and credentials are not 
> populated through the DOM.
> Because of this credentials have to be typed for every single request and  UI 
> is making status calls infinitely so in other words user have to enter 
> username and password infinitely.
> However for Internet Explorer it behaves differently.
> It just unauthenticate the one Ajax request and from there nothing happens. 
> Deletion of the session within Internet Explorer doesn't happen and browser 
> stays authenticated.
> My idea for solving those problems is to do a full reload of the web page 
> after deauthenticating.
> so Brooklyn can have only one javascript authentication cycle.
> I will provide a solution which does that in one simple step.
> Calling the /logout API call which returns Unauthorized response and redirect 
> to the home page. 



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to