It's also documented here so if this behavior really has changed and this is not a bug, we need to change the docs as well:
https://docs.dhis2.org/master/en/developer/html/webapi_ system_resource.html#d0e12069 JIRA issue here: https://jira.dhis2.org/browse/DHIS2-3519 On Tue, Apr 24, 2018 at 10:05 AM, Morten Olav Hansen <mor...@dhis2.org> wrote: > I think maybe its related to openldap, there was some issues with our ldap > configuration a while back > > Please file a jira issue for it, and I will have Viet have a look at it > (at least we can confirm the reason) > > -- > Morten Olav Hansen > Senior Engineer, DHIS 2 > University of Oslo > http://www.dhis2.org > > On Tue, Apr 24, 2018 at 12:21 PM, Jason Pickering < > jason.p.picker...@gmail.com> wrote: > >> Hi Morten, >> All of the information is provided in this thread. What both Ranga and I >> are saying is that when authenticating with basic authentication, and the >> authentication is not successful the following behavior is seen >> >> 1) In versions below 2.27 and below, a 401 response is sent from the >> server. >> 2) In versions 2.28 and above, a 302 response is sent from the server. >> >> The API tests were developed against 2.27, and it was a 401 response sent >> by the server with basic authentication was not successful. >> >> https://github.com/dhis2/api-tests/blob/master/features/step >> _definitions/authentication.js#L38 >> >> Regards, >> Jason >> >> >> On Tue, Apr 24, 2018 at 4:39 AM, Morten Olav Hansen <mor...@dhis2.org> >> wrote: >> >>> In what version did this return a 401? because that sounds like a bug to >>> me.. if you give me the version number, I can have a look >>> >>> -- >>> Morten Olav Hansen >>> Senior Engineer, DHIS 2 >>> University of Oslo >>> http://www.dhis2.org >>> >>> On Tue, Apr 24, 2018 at 9:38 AM, Morten Olav Hansen <mor...@dhis2.org> >>> wrote: >>> >>>> I'm not sure exactly what you mean Jason, this has been like this >>>> always? Are you saying this behavior has changed? because it should not >>>> have. To make the browser properly redirect to the login page, it needs to >>>> send a 302 to forward it. >>>> >>>> In 2.28 we introduced the X-Requested-With header which tells DHIS2 >>>> that this request is done by XHR (and not a browser), we can't change the >>>> default to 401 as it would break things badly. >>>> >>>> >>>> -- >>>> Morten Olav Hansen >>>> Senior Engineer, DHIS 2 >>>> University of Oslo >>>> http://www.dhis2.org >>>> >>>> On Mon, Apr 23, 2018 at 7:17 PM, Jason Pickering < >>>> jason.p.picker...@gmail.com> wrote: >>>> >>>>> Hi Bob, >>>>> >>>>> Yeah,I am not sure its fine either but what I am trying to get >>>>> information on is what the expected behavior actually should be. Seems it >>>>> should not be this though from what you and Ranga are saying. Just to >>>>> exclude any possible effect from the reverse proxy, its the same against a >>>>> localhost: >>>>> >>>>> * Trying 127.0.0.1... >>>>> * TCP_NODELAY set >>>>> * Connected to localhost (127.0.0.1) port 8080 (#0) >>>>> * Server auth using Basic with user 'admin' >>>>> > GET /api/me HTTP/1.1 >>>>> > Host: localhost:8080 >>>>> > Authorization: Basic YWRtaW46ZGlzdHJpY3Q= >>>>> > User-Agent: curl/7.53.1 >>>>> > Accept: */* >>>>> > >>>>> < HTTP/1.1 302 Found >>>>> < Server: Apache-Coyote/1.1 >>>>> < X-XSS-Protection: 1; mode=block >>>>> < X-Frame-Options: SAMEORIGIN >>>>> < X-Content-Type-Options: nosniff >>>>> < Location: http://localhost/dhis-web-commons/security/login.action >>>>> < Content-Length: 0 >>>>> < Date: Mon, 23 Apr 2018 12:15:22 GMT >>>>> >>>>> >>>>> On Mon, Apr 23, 2018 at 11:36 AM, Bob Jolliffe <bobjolli...@gmail.com> >>>>> wrote: >>>>> >>>>>> Hi Jason >>>>>> >>>>>> I am not sure that this is all fine. It looks to me like this is a >>>>>> bug which has slipped in and that the original 401 response is the >>>>>> correct expected behaviour. API users using pre-emptive basic >>>>>> authentication have no good reason to be redirected to the login page >>>>>> with invalid credentials. >>>>>> >>>>>> Regards >>>>>> Bob >>>>>> >>>>>> On 23 April 2018 at 09:46, Jason Pickering < >>>>>> jason.p.picker...@gmail.com> wrote: >>>>>> > Hi Morten, >>>>>> > >>>>>> > I am going to persist here, as its still not clear to me what has >>>>>> changed in >>>>>> > the API. >>>>>> > >>>>>> > Ranga documents that the API behavior has changed when trying to >>>>>> access >>>>>> > /api/me with basic authentication. It has changed from a 401 to a >>>>>> 302. This >>>>>> > also breaks the API tests >>>>>> > (https://github.com/dhis2/api-tests/blob/master/features/ste >>>>>> p_definitions/authentication.js#L38) >>>>>> > which also expects a 401. This is all fine, but could you provide a >>>>>> bit more >>>>>> > context on the change in behavior and whether this is expected? >>>>>> > >>>>>> > Regards, >>>>>> > Jason >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > On Mon, Apr 23, 2018 at 2:53 AM, Morten Olav Hansen < >>>>>> mor...@dhis2.org> >>>>>> > wrote: >>>>>> >> >>>>>> >> Try and set the header "X-Requested-With" to "XMLHttpRequest" >>>>>> >> >>>>>> >> -- >>>>>> >> Morten Olav Hansen >>>>>> >> Senior Engineer, DHIS 2 >>>>>> >> University of Oslo >>>>>> >> http://www.dhis2.org >>>>>> >> >>>>>> >> On Sat, Apr 21, 2018 at 8:19 PM, Rangarirai Matavire < >>>>>> matavi...@gmail.com> >>>>>> >> wrote: >>>>>> >>> >>>>>> >>> Thanks Jason, >>>>>> >>> >>>>>> >>> In addition, if you add the '-L' option to the 2.28 and 2.29 >>>>>> queries as >>>>>> >>> follows: >>>>>> >>> >>>>>> >>> curl -I -L -u admin:distric -H 'Accept: application/json' >>>>>> >>> https://play.dhis2.org/2.29/api/me >>>>>> >>> >>>>>> >>> >>>>>> >>> You get a redirect loop which seems infinite until it terminates >>>>>> in error >>>>>> >>> as follows: >>>>>> >>> >>>>>> >>> HTTP/1.1 302 >>>>>> >>> >>>>>> >>> Server: nginx/1.4.6 (Ubuntu) >>>>>> >>> >>>>>> >>> Date: Sat, 21 Apr 2018 13:13:18 GMT >>>>>> >>> >>>>>> >>> Content-Length: 0 >>>>>> >>> >>>>>> >>> Connection: keep-alive >>>>>> >>> >>>>>> >>> X-XSS-Protection: 1; mode=block >>>>>> >>> >>>>>> >>> X-Frame-Options: SAMEORIGIN >>>>>> >>> >>>>>> >>> X-Content-Type-Options: nosniff >>>>>> >>> >>>>>> >>> Location: >>>>>> >>> https://play.dhis2.org/2.29/dhis-web-commons/security/login. >>>>>> action >>>>>> >>> >>>>>> >>> >>>>>> >>> HTTP/1.1 302 >>>>>> >>> >>>>>> >>> Server: nginx/1.4.6 (Ubuntu) >>>>>> >>> >>>>>> >>> Date: Sat, 21 Apr 2018 13:13:18 GMT >>>>>> >>> >>>>>> >>> Content-Length: 0 >>>>>> >>> >>>>>> >>> Connection: keep-alive >>>>>> >>> >>>>>> >>> X-XSS-Protection: 1; mode=block >>>>>> >>> >>>>>> >>> X-Frame-Options: SAMEORIGIN >>>>>> >>> >>>>>> >>> X-Content-Type-Options: nosniff >>>>>> >>> >>>>>> >>> Location: >>>>>> >>> https://play.dhis2.org/2.29/dhis-web-commons/security/login. >>>>>> action >>>>>> >>> >>>>>> >>> >>>>>> >>> HTTP/1.1 302 >>>>>> >>> >>>>>> >>> Server: nginx/1.4.6 (Ubuntu) >>>>>> >>> >>>>>> >>> Date: Sat, 21 Apr 2018 13:13:18 GMT >>>>>> >>> >>>>>> >>> Content-Length: 0 >>>>>> >>> >>>>>> >>> Connection: keep-alive >>>>>> >>> >>>>>> >>> X-XSS-Protection: 1; mode=block >>>>>> >>> >>>>>> >>> X-Frame-Options: SAMEORIGIN >>>>>> >>> >>>>>> >>> X-Content-Type-Options: nosniff >>>>>> >>> >>>>>> >>> Location: >>>>>> >>> https://play.dhis2.org/2.29/dhis-web-commons/security/login. >>>>>> action >>>>>> >>> >>>>>> >>> >>>>>> >>> HTTP/1.1 302 >>>>>> >>> >>>>>> >>> Server: nginx/1.4.6 (Ubuntu) >>>>>> >>> >>>>>> >>> Date: Sat, 21 Apr 2018 13:13:19 GMT >>>>>> >>> >>>>>> >>> Content-Length: 0 >>>>>> >>> >>>>>> >>> Connection: keep-alive >>>>>> >>> >>>>>> >>> X-XSS-Protection: 1; mode=block >>>>>> >>> >>>>>> >>> X-Frame-Options: SAMEORIGIN >>>>>> >>> >>>>>> >>> X-Content-Type-Options: nosniff >>>>>> >>> >>>>>> >>> Location: >>>>>> >>> https://play.dhis2.org/2.29/dhis-web-commons/security/login. >>>>>> action >>>>>> >>> >>>>>> >>> >>>>>> >>> HTTP/1.1 302 >>>>>> >>> >>>>>> >>> Server: nginx/1.4.6 (Ubuntu) >>>>>> >>> >>>>>> >>> Date: Sat, 21 Apr 2018 13:13:19 GMT >>>>>> >>> >>>>>> >>> Content-Length: 0 >>>>>> >>> >>>>>> >>> Connection: keep-alive >>>>>> >>> >>>>>> >>> X-XSS-Protection: 1; mode=block >>>>>> >>> >>>>>> >>> X-Frame-Options: SAMEORIGIN >>>>>> >>> >>>>>> >>> X-Content-Type-Options: nosniff >>>>>> >>> >>>>>> >>> Location: >>>>>> >>> https://play.dhis2.org/2.29/dhis-web-commons/security/login. >>>>>> action >>>>>> >>> >>>>>> >>> >>>>>> >>> curl: (47) SSLRead() return error -9806 >>>>>> >>> >>>>>> >>> >>>>>> >>> This causes bug in applications that access the api for >>>>>> authentication >>>>>> >>> and I can also see how this can be used to diminish system >>>>>> performance in >>>>>> >>> general. >>>>>> >>> >>>>>> >>> Regards, >>>>>> >>> >>>>>> >>> Ranga >>>>>> >>> >>>>>> >>> On Sat, Apr 21, 2018 at 8:51 AM, Jason Pickering >>>>>> >>> <jason.p.picker...@gmail.com> wrote: >>>>>> >>>> >>>>>> >>>> Just to try and make it a bit more clear Morten, I think this is >>>>>> the >>>>>> >>>> issue Rangarai is asking about is below: >>>>>> >>>> >>>>>> >>>> In 2.29 and 2.28, an unauthorized username/password returns a >>>>>> 302. >>>>>> >>>> >>>>>> >>>> curl -I -u admin:distric -H 'Accept: application/json' >>>>>> >>>> https://play.dhis2.org/2.29/api/me >>>>>> >>>> HTTP/1.1 302 >>>>>> >>>> Server: nginx/1.4.6 (Ubuntu) >>>>>> >>>> Date: Sat, 21 Apr 2018 06:44:10 GMT >>>>>> >>>> Content-Length: 0 >>>>>> >>>> Connection: keep-alive >>>>>> >>>> X-XSS-Protection: 1; mode=block >>>>>> >>>> X-Frame-Options: SAMEORIGIN >>>>>> >>>> X-Content-Type-Options: nosniff >>>>>> >>>> Location: >>>>>> >>>> https://play.dhis2.org/2.29/dhis-web-commons/security/login. >>>>>> action >>>>>> >>>> >>>>>> >>>> >>>>>> >>>> In 2.27, this same request returns a 401. >>>>>> >>>> >>>>>> >>>> curl -I -u admin:distric -H 'Accept: application/json' >>>>>> >>>> https://play.dhis2.org/2.27/api/me >>>>>> >>>> HTTP/1.1 401 >>>>>> >>>> Server: nginx/1.4.6 (Ubuntu) >>>>>> >>>> Date: Sat, 21 Apr 2018 06:44:27 GMT >>>>>> >>>> Content-Type: text/html;charset=utf-8 >>>>>> >>>> Content-Length: 1071 >>>>>> >>>> Connection: keep-alive >>>>>> >>>> X-XSS-Protection: 1; mode=block >>>>>> >>>> X-Frame-Options: SAMEORIGIN >>>>>> >>>> X-Content-Type-Options: nosniff >>>>>> >>>> Set-Cookie: JSESSIONID=05596EBFC26A7C1843D298E98619C7FB; >>>>>> Path=/2.27; >>>>>> >>>> HttpOnly >>>>>> >>>> WWW-Authenticate: Basic realm="DHIS2" >>>>>> >>>> Content-Language: en >>>>>> >>>> >>>>>> >>>> >>>>>> >>>> On Fri, Apr 20, 2018 at 1:40 PM, Rangarirai Matavire >>>>>> >>>> <matavi...@gmail.com> wrote: >>>>>> >>>>> >>>>>> >>>>> Hi Morten, >>>>>> >>>>> >>>>>> >>>>> The password is set wrong deliberately so as to get a 401 or >>>>>> other >>>>>> >>>>> response. The problem is when you set the wrong password or >>>>>> username you get >>>>>> >>>>> endless redirects from the API. >>>>>> >>>>> >>>>>> >>>>> Regards, >>>>>> >>>>> >>>>>> >>>>> >>>>>> >>>>> On Fri, Apr 20, 2018 at 1:24 PM, Morten Olav Hansen < >>>>>> mor...@dhis2.org> >>>>>> >>>>> wrote: >>>>>> >>>>>> >>>>>> >>>>>> It should be district, not distric... but also people keep >>>>>> changing >>>>>> >>>>>> our internal passwords (our database resets every 24 hour) >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> >>>>>> Morten Olav Hansen >>>>>> >>>>>> Senior Engineer, DHIS 2 >>>>>> >>>>>> University of Oslo >>>>>> >>>>>> http://www.dhis2.org >>>>>> >>>>>> >>>>>> >>>>>> On Fri, Apr 20, 2018 at 12:09 PM, Rangarirai Matavire >>>>>> >>>>>> <matavi...@gmail.com> wrote: >>>>>> >>>>>>> >>>>>> >>>>>>> By the way, its not just the error response code that is >>>>>> worrying, >>>>>> >>>>>>> but also the loop of redirects that starts, this makes it >>>>>> difficult to >>>>>> >>>>>>> handle the response for an http client. To see this loop of >>>>>> redirects, you >>>>>> >>>>>>> can add -L to curl as below. >>>>>> >>>>>>> >>>>>> >>>>>>> curl -I -L -u admin:distric -H 'Accept: application/json' >>>>>> >>>>>>> https://play.dhis2.org/2.28/api/me >>>>>> >>>>>>> >>>>>> >>>>>>> >>>>>> >>>>>>> I think this behaviour should be corrected as it may lead to >>>>>> >>>>>>> unexpected behaviour of apps. >>>>>> >>>>>>> >>>>>> >>>>>>> Regards >>>>>> >>>>>>> >>>>>> >>>>>>> On Wed, Apr 18, 2018 at 11:10 PM, Rangarirai Matavire >>>>>> >>>>>>> <matavi...@gmail.com> wrote: >>>>>> >>>>>>>> >>>>>> >>>>>>>> Hi Devs, >>>>>> >>>>>>>> >>>>>> >>>>>>>> I am wondering whether the behaviour I am seeing is a bug or >>>>>> >>>>>>>> something to be expected due to some change. >>>>>> >>>>>>>> >>>>>> >>>>>>>> When I run the following curl command: >>>>>> >>>>>>>> >>>>>> >>>>>>>> curl -I -u admin:distric -H 'Accept: application/json' >>>>>> >>>>>>>> https://play.dhis2.org/2.29/api/me >>>>>> >>>>>>>> >>>>>> >>>>>>>> >>>>>> >>>>>>>> I get an HTTP 302 response. Note that I have deliberately >>>>>> set the >>>>>> >>>>>>>> password wrong so I can mock a 401 unauthorized response. I >>>>>> get the same >>>>>> >>>>>>>> response when I run the command on version 2.28. However, as >>>>>> expected, when >>>>>> >>>>>>>> I run it on 2.27, 2.26 etc I get a 401 HTTP response. >>>>>> >>>>>>>> >>>>>> >>>>>>>> I hope someone can assist. >>>>>> >>>>>>>> >>>>>> >>>>>>>> Regards, >>>>>> >>>>>>>> >>>>>> >>>>>>>> Ranga >>>>>> >>>>>>> >>>>>> >>>>>>> >>>>>> >>>>>>> >>>>>> >>>>>>> _______________________________________________ >>>>>> >>>>>>> Mailing list: https://launchpad.net/~dhis2-devs >>>>>> >>>>>>> Post to : dhis2-devs@lists.launchpad.net >>>>>> >>>>>>> Unsubscribe : https://launchpad.net/~dhis2-devs >>>>>> >>>>>>> More help : https://help.launchpad.net/ListHelp >>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>>> >>>>> >>>>>> >>>>> _______________________________________________ >>>>>> >>>>> Mailing list: https://launchpad.net/~dhis2-devs >>>>>> >>>>> Post to : dhis2-devs@lists.launchpad.net >>>>>> >>>>> Unsubscribe : https://launchpad.net/~dhis2-devs >>>>>> >>>>> More help : https://help.launchpad.net/ListHelp >>>>>> >>>>> >>>>>> >>>> >>>>>> >>>> >>>>>> >>>> >>>>>> >>>> -- >>>>>> >>>> Jason P. Pickering >>>>>> >>>> email: jason.p.picker...@gmail.com >>>>>> >>>> tel:+46764147049 >>>>>> >>> >>>>>> >>> >>>>>> >> >>>>>> > >>>>>> > >>>>>> > >>>>>> > -- >>>>>> > Jason P. Pickering >>>>>> > email: jason.p.picker...@gmail.com >>>>>> > tel:+46764147049 >>>>>> > >>>>>> > _______________________________________________ >>>>>> > Mailing list: https://launchpad.net/~dhis2-devs >>>>>> > Post to : dhis2-devs@lists.launchpad.net >>>>>> > Unsubscribe : https://launchpad.net/~dhis2-devs >>>>>> > More help : https://help.launchpad.net/ListHelp >>>>>> > >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Jason P. Pickering >>>>> email: jason.p.picker...@gmail.com >>>>> tel:+46764147049 >>>>> >>>> >>>> >>> >> >> >> -- >> Jason P. Pickering >> email: jason.p.picker...@gmail.com >> tel:+46764147049 >> > > -- Jason P. Pickering email: jason.p.picker...@gmail.com tel:+46764147049
_______________________________________________ Mailing list: https://launchpad.net/~dhis2-devs Post to : dhis2-devs@lists.launchpad.net Unsubscribe : https://launchpad.net/~dhis2-devs More help : https://help.launchpad.net/ListHelp
