[jira] [Commented] (SLING-2443) Missing WWW-Authenticate header on OPTIONS request with trunk servlets.resolver bundle
[ https://issues.apache.org/jira/browse/SLING-2443?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13237784#comment-13237784 ] Felix Meschberger commented on SLING-2443: -- > That response.reset() call was not present in 2.1.0 For completeness: This came in with SLING-1842 > Missing WWW-Authenticate header on OPTIONS request with trunk > servlets.resolver bundle > -- > > Key: SLING-2443 > URL: https://issues.apache.org/jira/browse/SLING-2443 > Project: Sling > Issue Type: Bug > Components: Servlets >Reporter: Bertrand Delacretaz > > Running the launchpad/builder standalone jar from the trunk correctly returns > an WWW-Authenticate header on an OPTIONS request with no credentials: > $ curl -D - -X OPTIONS http://localhost:8080/ > HTTP/1.1 401 Unauthorized > WWW-Authenticate: Basic realm="Jackrabbit Webdav Server" > Content-Type: ... > But if I replace the org.apache.sling.servlets.resolver 2.1.0 bundle that's > in there with the latest snapshot (revision 1302994) that header is missing: > it gets removed by the response.reset() call in > DefaultErrorHandlerServlet.sendIntro(...), which makes it impossible to > connect with WebDAV. > That response.reset() call was not present in 2.1.0. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SLING-2443) Missing WWW-Authenticate header on OPTIONS request with trunk servlets.resolver bundle
[ https://issues.apache.org/jira/browse/SLING-2443?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13237627#comment-13237627 ] Felix Meschberger commented on SLING-2443: -- Yes, if the sendError is used, 401 is just like any other error and is handled by the error handling script. The problem is, that 401 should not be sent to the client using sendError but using setStatus and committing the response to make sure the client gets the authentication requets. > Missing WWW-Authenticate header on OPTIONS request with trunk > servlets.resolver bundle > -- > > Key: SLING-2443 > URL: https://issues.apache.org/jira/browse/SLING-2443 > Project: Sling > Issue Type: Bug > Components: Servlets >Reporter: Bertrand Delacretaz > > Running the launchpad/builder standalone jar from the trunk correctly returns > an WWW-Authenticate header on an OPTIONS request with no credentials: > $ curl -D - -X OPTIONS http://localhost:8080/ > HTTP/1.1 401 Unauthorized > WWW-Authenticate: Basic realm="Jackrabbit Webdav Server" > Content-Type: ... > But if I replace the org.apache.sling.servlets.resolver 2.1.0 bundle that's > in there with the latest snapshot (revision 1302994) that header is missing: > it gets removed by the response.reset() call in > DefaultErrorHandlerServlet.sendIntro(...), which makes it impossible to > connect with WebDAV. > That response.reset() call was not present in 2.1.0. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SLING-2443) Missing WWW-Authenticate header on OPTIONS request with trunk servlets.resolver bundle
[ https://issues.apache.org/jira/browse/SLING-2443?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13237559#comment-13237559 ] Reto Bachmann-Gmür commented on SLING-2443: --- 401 is an error code by http so it handling by error scripts seems reasonable by me. I think resetting the response is reasonable for server errors (5XX) as in this case something went wrong in producing the response but not for client errors (4XX) where there is something wrong with the request while the response can be assumed to be reasonable for that bogus request. Furthermore resetting headers but not the status line seems inconsistent to me. > Missing WWW-Authenticate header on OPTIONS request with trunk > servlets.resolver bundle > -- > > Key: SLING-2443 > URL: https://issues.apache.org/jira/browse/SLING-2443 > Project: Sling > Issue Type: Bug > Components: Servlets >Reporter: Bertrand Delacretaz > > Running the launchpad/builder standalone jar from the trunk correctly returns > an WWW-Authenticate header on an OPTIONS request with no credentials: > $ curl -D - -X OPTIONS http://localhost:8080/ > HTTP/1.1 401 Unauthorized > WWW-Authenticate: Basic realm="Jackrabbit Webdav Server" > Content-Type: ... > But if I replace the org.apache.sling.servlets.resolver 2.1.0 bundle that's > in there with the latest snapshot (revision 1302994) that header is missing: > it gets removed by the response.reset() call in > DefaultErrorHandlerServlet.sendIntro(...), which makes it impossible to > connect with WebDAV. > That response.reset() call was not present in 2.1.0. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SLING-2443) Missing WWW-Authenticate header on OPTIONS request with trunk servlets.resolver bundle
[
https://issues.apache.org/jira/browse/SLING-2443?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13234392#comment-13234392
]
Bertrand Delacretaz commented on SLING-2443:
I agree about the reset in general, but the following pattern seems reasonable
to me:
// Sling servlet is in trouble
response.setHeader("X-something-specific", "some useful value")
response.sendError(...)
And if you do this in a Sling servlet now that won't work...maybe we should
preserve the headers instead of resetting everything?
> Missing WWW-Authenticate header on OPTIONS request with trunk
> servlets.resolver bundle
> --
>
> Key: SLING-2443
> URL: https://issues.apache.org/jira/browse/SLING-2443
> Project: Sling
> Issue Type: Bug
> Components: Servlets
>Reporter: Bertrand Delacretaz
>
> Running the launchpad/builder standalone jar from the trunk correctly returns
> an WWW-Authenticate header on an OPTIONS request with no credentials:
> $ curl -D - -X OPTIONS http://localhost:8080/
> HTTP/1.1 401 Unauthorized
> WWW-Authenticate: Basic realm="Jackrabbit Webdav Server"
> Content-Type: ...
> But if I replace the org.apache.sling.servlets.resolver 2.1.0 bundle that's
> in there with the latest snapshot (revision 1302994) that header is missing:
> it gets removed by the response.reset() call in
> DefaultErrorHandlerServlet.sendIntro(...), which makes it impossible to
> connect with WebDAV.
> That response.reset() call was not present in 2.1.0.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SLING-2443) Missing WWW-Authenticate header on OPTIONS request with trunk servlets.resolver bundle
[ https://issues.apache.org/jira/browse/SLING-2443?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13234381#comment-13234381 ] Felix Meschberger commented on SLING-2443: -- In this case, this would rather be a bug for Jackrabbit. I am against removing the response.reset call from the DefaultErrorHandlerServlet because this sounds absolutely reasonable to do when handling errors in a generic (default) way. > Missing WWW-Authenticate header on OPTIONS request with trunk > servlets.resolver bundle > -- > > Key: SLING-2443 > URL: https://issues.apache.org/jira/browse/SLING-2443 > Project: Sling > Issue Type: Bug > Components: Servlets >Reporter: Bertrand Delacretaz > > Running the launchpad/builder standalone jar from the trunk correctly returns > an WWW-Authenticate header on an OPTIONS request with no credentials: > $ curl -D - -X OPTIONS http://localhost:8080/ > HTTP/1.1 401 Unauthorized > WWW-Authenticate: Basic realm="Jackrabbit Webdav Server" > Content-Type: ... > But if I replace the org.apache.sling.servlets.resolver 2.1.0 bundle that's > in there with the latest snapshot (revision 1302994) that header is missing: > it gets removed by the response.reset() call in > DefaultErrorHandlerServlet.sendIntro(...), which makes it impossible to > connect with WebDAV. > That response.reset() call was not present in 2.1.0. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SLING-2443) Missing WWW-Authenticate header on OPTIONS request with trunk servlets.resolver bundle
[
https://issues.apache.org/jira/browse/SLING-2443?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13233562#comment-13233562
]
Bertrand Delacretaz commented on SLING-2443:
IIUC it's jackrabbit's AbstractWebdavServlet. sendUnauthorized(...) method that
sends this:
response.setHeader("WWW-Authenticate", getAuthenticateHeaderValue());
if (error == null || error.getErrorCode() !=
HttpServletResponse.SC_UNAUTHORIZED) {
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
} else {
response.sendError(error.getErrorCode(), error.getStatusPhrase());
}
and that looks a bit tricky to override (just had a quick look)
[1]
http://svn.apache.org/repos/asf/jackrabbit/trunk/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/server/AbstractWebdavServlet.java
> Missing WWW-Authenticate header on OPTIONS request with trunk
> servlets.resolver bundle
> --
>
> Key: SLING-2443
> URL: https://issues.apache.org/jira/browse/SLING-2443
> Project: Sling
> Issue Type: Bug
> Components: Servlets
>Reporter: Bertrand Delacretaz
>
> Running the launchpad/builder standalone jar from the trunk correctly returns
> an WWW-Authenticate header on an OPTIONS request with no credentials:
> $ curl -D - -X OPTIONS http://localhost:8080/
> HTTP/1.1 401 Unauthorized
> WWW-Authenticate: Basic realm="Jackrabbit Webdav Server"
> Content-Type: ...
> But if I replace the org.apache.sling.servlets.resolver 2.1.0 bundle that's
> in there with the latest snapshot (revision 1302994) that header is missing:
> it gets removed by the response.reset() call in
> DefaultErrorHandlerServlet.sendIntro(...), which makes it impossible to
> connect with WebDAV.
> That response.reset() call was not present in 2.1.0.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SLING-2443) Missing WWW-Authenticate header on OPTIONS request with trunk servlets.resolver bundle
[ https://issues.apache.org/jira/browse/SLING-2443?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13233558#comment-13233558 ] Felix Meschberger commented on SLING-2443: -- Hmm, somehow it sounds wrong that 401 response to ask for authentication go through error handling scripts ... > Missing WWW-Authenticate header on OPTIONS request with trunk > servlets.resolver bundle > -- > > Key: SLING-2443 > URL: https://issues.apache.org/jira/browse/SLING-2443 > Project: Sling > Issue Type: Bug > Components: Servlets >Reporter: Bertrand Delacretaz > > Running the launchpad/builder standalone jar from the trunk correctly returns > an WWW-Authenticate header on an OPTIONS request with no credentials: > $ curl -D - -X OPTIONS http://localhost:8080/ > HTTP/1.1 401 Unauthorized > WWW-Authenticate: Basic realm="Jackrabbit Webdav Server" > Content-Type: ... > But if I replace the org.apache.sling.servlets.resolver 2.1.0 bundle that's > in there with the latest snapshot (revision 1302994) that header is missing: > it gets removed by the response.reset() call in > DefaultErrorHandlerServlet.sendIntro(...), which makes it impossible to > connect with WebDAV. > That response.reset() call was not present in 2.1.0. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
