Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-18754

The authentication chain could return HTTP 401 Unauthorized



    • Sprint:


      The authentication chain currently return a HTTP Redirect 302 to login.jsp when the user is not logged in.

      Story: The Maven Repository Servlet Tests

      I wrote some tests to validate the behaviour of a servlet deployed on Nuxeo which implement a Maven repository (used for Nuxeo Studio).

      I tried to access my repository with Maven (Basic authentication based on username/password in settings.xml): it didn't work.
      I tried to access access it through curl: "curl -X GET -u admin:admin ..." - it worked.

      What happened with curl:

      1. curl encodes the username and password in a "authorization" header
      2. The Nuxeo authentication filter loop over auth services to authenticate the user.
      3. The Basic Auth service found the header and managed the authentication
      4. The response is sent

      What happened with maven:

      Since Maven 3.0.4, wagon, the maven HTTP client is based on Apache HttpClient and the Basic Authentication is not preemptive on GET Request.

      With 3.0.4, the default wagon http(s) is now the HttpClient based on Apache Http Client 4.1.2. There is now a http connection pooling to prevent reopening http(s) to remote server for each requests. This pool feature is configurable with some parameters [4].
      This new defaut wagon comes with some default configuration:
      http(s) connection pool: default to 20.
      readTimeout: default to 1800000ms (~30 minutes) (see section Read time out below)
      default Preemptive Authentication only with PUT (GET doesn't use anymore default Preemptive Authentication)

      1. Maven send the request without any authorization header (non preemptive). It expects the server to accept the request or return a Login Required response.
      2. The Nuxeo authentication filter loop over auth services to authenticate the user.
      3. No Auth service managed the login
      4. The "first" auth service managed the response: it returns a Http Redirect 302 to login.jsp
      5. Maven failed because it expects a gzip content type (a jar)

      Side Note: If another client doesn't expect any content type (accepts: */*) and follow the redirections. The login.jsp is interpreted as the response.

      I fix the problem by overriding the authentication chain for my servlet.

        <extension target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService" point="authenticators">
          <authenticationPlugin name="BASIC_AUTH">
              <parameter name="ForcePromptURL_Maven">site/studio/maven</parameter>

      It would be nice to get a valid code (Http Unauthorized 401) when the login is required in Nuxeo.
      If it's necessary to keep the current redirect for JSF, may be we should setup JSF as an exception with a custom login page.
      The other page could provide the same login page with a forward 401 rather than a redirect 302.


          Issue Links



              • Votes:
                0 Vote for this issue
                1 Start watching this issue


                • Created: