Guard, authenticate failure, HTTP 401

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Guard, authenticate failure, HTTP 401

Diego Ballve
Hello,

By default Guard returns 403 (forbidden) if authentication fails?
Shouldn't it be 401?

401: The request requires user authentication
403: request, but is refusing to fulfill it as it could be explained in
the entity.

br,
DIego

--
Diego Ballve
Digital Artefacts Europe
http://www.digital-artefacts.fi/
Reply | Threaded
Open this post in threaded view
|

Re: Guard, authenticate failure, HTTP 401

StephanKoo
Hi Diego,

this was a bug in Restlet 1.0. It is resolved in Restlet 1.1.
See also the Migration Guide from 1.0 to 1.1: http://wiki.restlet.org/docs_1.1/13-restlet/171-restlet/155-restlet.html

best regards
    Stephan

> Hello,
>
> By default Guard returns 403 (forbidden) if authentication fails?
> Shouldn't it be 401?
>
> 401: The request requires user authentication
> 403: request, but is refusing to fulfill it as it could be explained in
> the entity.
>
> br,
> DIego

________________________________________________________________________
Schon gehört? Bei WEB.DE gibt' s viele kostenlose Spiele:
http://games.entertainment.web.de/de/entertainment/games/free/index.html

Reply | Threaded
Open this post in threaded view
|

Re: Guard, authenticate failure, HTTP 401

Thierry Boileau
In reply to this post by Diego Ballve
Hello Diego,

I suppose you are running with Restlet 1.0, since Restlet 1.1 behaves differently (returns 401 status).
We think that this behaviour won't be changed in the future.
Thus, we kindly encourage you to use Restlet 1.1 or create a subclass and override the "forbid" method (which sets the 403 status).

Best regards,
Thierry Boileau
--
Restlet ~ Core developer ~ http://www.restlet.org
Noelios Technologies ~ Co-founder ~ http://www.noelios.com

 

Hello,

By default Guard returns 403 (forbidden) if authentication fails?
Shouldn't it be 401?

401: The request requires user authentication
403: request, but is refusing to fulfill it as it could be explained in
the entity.

br,
DIego
  
Reply | Threaded
Open this post in threaded view
|

Re: Guard, authenticate failure, HTTP 401

Diego Ballve
Hi Stephan, Thierry,

Thanks for the answers, but.. er.. I'm using 1.1.1 fresh from maven
repo. Sources pulled from there too. And I am overriding the forbid
method, which in 1.1.1 returns CLIENT_ERROR_FORBIDDEN. Check here:

http://restlet.tigris.org/source/browse/restlet/tags/1.1/1.1.1/modules/org.restlet/src/org/restlet/Guard.java?rev=3933&view=markup

br,
Diego

Thierry Boileau wrote:

> Hello Diego,
>
> I suppose you are running with Restlet 1.0, since Restlet 1.1 behaves
> differently (returns 401 status).
> We think that this behaviour won't be changed in the future.
> Thus, we kindly encourage you to use Restlet 1.1 or create a subclass
> and override the "forbid" method (which sets the 403 status).
>
> Best regards,
> Thierry Boileau
> --
> Restlet ~ Core developer ~ http://www.restlet.org <http://www.restlet.org/>
> Noelios Technologies ~ Co-founder ~ http://www.noelios.com
> <http://www.noelios.com/>
>
>  
>
>> Hello,
>>
>> By default Guard returns 403 (forbidden) if authentication fails?
>> Shouldn't it be 401?
>>
>> 401: The request requires user authentication
>> 403: request, but is refusing to fulfill it as it could be explained in
>> the entity.
>>
>> br,
>> DIego
>>  
Reply | Threaded
Open this post in threaded view
|

Re: Guard, authenticate failure, HTTP 401

Thierry Boileau
Hello Diego,

I send you my sample code. I receive 401 status code when the authentication fails.
 
Best regards,
Thierry Boileau
--
Restlet ~ Core developer ~ http://www.restlet.org
Noelios Technologies ~ Co-founder ~ http://www.noelios.com

Hi Stephan, Thierry,

Thanks for the answers, but.. er.. I'm using 1.1.1 fresh from maven
repo. Sources pulled from there too. And I am overriding the forbid
method, which in 1.1.1 returns CLIENT_ERROR_FORBIDDEN. Check here:

http://restlet.tigris.org/source/browse/restlet/tags/1.1/1.1.1/modules/org.restlet/src/org/restlet/Guard.java?rev=3933&view=markup

br,
Diego

Thierry Boileau wrote:
  
Hello Diego,

I suppose you are running with Restlet 1.0, since Restlet 1.1 behaves
differently (returns 401 status).
We think that this behaviour won't be changed in the future.
Thus, we kindly encourage you to use Restlet 1.1 or create a subclass
and override the "forbid" method (which sets the 403 status).

Best regards,
Thierry Boileau
--
Restlet ~ Core developer ~ http://www.restlet.org <http://www.restlet.org/>
Noelios Technologies ~ Co-founder ~ http://www.noelios.com
<http://www.noelios.com/>

 

    
Hello,

By default Guard returns 403 (forbidden) if authentication fails?
Shouldn't it be 401?

401: The request requires user authentication
403: request, but is refusing to fulfill it as it could be explained in
the entity.

br,
DIego
  
      

package testGuard;

import org.restlet.Application;
import org.restlet.Client;
import org.restlet.Component;
import org.restlet.Guard;
import org.restlet.Restlet;
import org.restlet.data.ChallengeResponse;
import org.restlet.data.ChallengeScheme;
import org.restlet.data.MediaType;
import org.restlet.data.Method;
import org.restlet.data.Protocol;
import org.restlet.data.Request;
import org.restlet.data.Response;

public class TestApplication {

    public static void main(String[] args) throws Exception {
        Component component = new Component();
        component.getServers().add(Protocol.HTTP, 8182);

        Application application = new Application(component.getContext()) {
            @Override
            public Restlet createRoot() {
                Restlet restlet = new Restlet(getContext()) {
                    @Override
                    public void handle(Request request, Response response) {
                        response
                                .setEntity("hello, world", MediaType.TEXT_PLAIN);
                    }
                };

                Guard guard = new Guard(getContext(),
                        ChallengeScheme.HTTP_BASIC, "test");
                guard.getSecrets().put("login", "password".toCharArray());
                guard.setNext(restlet);
                return guard;
            }
        };

        component.getDefaultHost().attach(application);
        component.start();

        Request request = new Request(Method.GET, "http://localhost:8182/");
        Client client = new Client(Protocol.HTTP);
        Response response = client.handle(request);
        System.err.println("*******" + response.getStatus());

        ChallengeResponse cr = new ChallengeResponse(
                ChallengeScheme.HTTP_BASIC, "logine", "password");
        request.setChallengeResponse(cr);
        response = client.handle(request);
        System.err.println("*******" + response.getStatus());

        cr = new ChallengeResponse(ChallengeScheme.HTTP_BASIC, "login",
                "password");
        request.setChallengeResponse(cr);
        response = client.handle(request);
        System.err.println("*******" + response.getStatus());
        component.stop();
    }

}
Reply | Threaded
Open this post in threaded view
|

Re: Guard, authenticate failure, HTTP 401

Diego Ballve
Hi Thierry,

Thanks for the test code. Try setting:
guard.setRechallengeEnabled(false);

br,
Diego

Thierry Boileau wrote:

> Hello Diego,
>
> I send you my sample code. I receive 401 status code when the
> authentication fails.
>  
> Best regards,
> Thierry Boileau
> --
> Restlet ~ Core developer ~ http://www.restlet.org <http://www.restlet.org/>
> Noelios Technologies ~ Co-founder ~ http://www.noelios.com
> <http://www.noelios.com/>
>> Hi Stephan, Thierry,
>>
>> Thanks for the answers, but.. er.. I'm using 1.1.1 fresh from maven
>> repo. Sources pulled from there too. And I am overriding the forbid
>> method, which in 1.1.1 returns CLIENT_ERROR_FORBIDDEN. Check here:
>>
>> http://restlet.tigris.org/source/browse/restlet/tags/1.1/1.1.1/modules/org.restlet/src/org/restlet/Guard.java?rev=3933&view=markup
>>
>> br,
>> Diego
>>
>> Thierry Boileau wrote:
>>  
>>> Hello Diego,
>>>
>>> I suppose you are running with Restlet 1.0, since Restlet 1.1 behaves
>>> differently (returns 401 status).
>>> We think that this behaviour won't be changed in the future.
>>> Thus, we kindly encourage you to use Restlet 1.1 or create a subclass
>>> and override the "forbid" method (which sets the 403 status).
>>>
>>> Best regards,
>>> Thierry Boileau
>>> --
>>> Restlet ~ Core developer ~ http://www.restlet.org <http://www.restlet.org/>
>>> Noelios Technologies ~ Co-founder ~ http://www.noelios.com
>>> <http://www.noelios.com/>
>>>
>>>  
>>>
>>>    
>>>> Hello,
>>>>
>>>> By default Guard returns 403 (forbidden) if authentication fails?
>>>> Shouldn't it be 401?
>>>>
>>>> 401: The request requires user authentication
>>>> 403: request, but is refusing to fulfill it as it could be explained in
>>>> the entity.
>>>>
>>>> br,
>>>> DIego
>>>>  
>>>>      
Reply | Threaded
Open this post in threaded view
|

Re: Guard, authenticate failure, HTTP 401

Thierry Boileau
Hi Diego,

if you set this boolean to false, then the behaviour is changed. You obtain a 403 status code when requesting with wrong credentials.
You can have a look in the javadocs: http://www.restlet.org/documentation/1.1/api/org/restlet/Guard.html#isRechallengeEnabled()

best regards,
Thierry Boileau

Hi Thierry,

Thanks for the test code. Try setting:
guard.setRechallengeEnabled(false);

br,
Diego

Thierry Boileau wrote:
  
Hello Diego,

I send you my sample code. I receive 401 status code when the
authentication fails.
 
Best regards,
Thierry Boileau
--
Restlet ~ Core developer ~ http://www.restlet.org <http://www.restlet.org/>
Noelios Technologies ~ Co-founder ~ http://www.noelios.com
<http://www.noelios.com/>
    
Hi Stephan, Thierry,

Thanks for the answers, but.. er.. I'm using 1.1.1 fresh from maven
repo. Sources pulled from there too. And I am overriding the forbid
method, which in 1.1.1 returns CLIENT_ERROR_FORBIDDEN. Check here:

http://restlet.tigris.org/source/browse/restlet/tags/1.1/1.1.1/modules/org.restlet/src/org/restlet/Guard.java?rev=3933&view=markup

br,
Diego

Thierry Boileau wrote:
  
      
Hello Diego,

I suppose you are running with Restlet 1.0, since Restlet 1.1 behaves
differently (returns 401 status).
We think that this behaviour won't be changed in the future.
Thus, we kindly encourage you to use Restlet 1.1 or create a subclass
and override the "forbid" method (which sets the 403 status).

Best regards,
Thierry Boileau
--
Restlet ~ Core developer ~ http://www.restlet.org <http://www.restlet.org/>
Noelios Technologies ~ Co-founder ~ http://www.noelios.com
<http://www.noelios.com/>

 

    
        
Hello,

By default Guard returns 403 (forbidden) if authentication fails?
Shouldn't it be 401?

401: The request requires user authentication
403: request, but is refusing to fulfill it as it could be explained in
the entity.

br,
DIego
  
      
          

  
Reply | Threaded
Open this post in threaded view
|

Re: Guard, authenticate failure, HTTP 401

Diego Ballve
Hi Thierry,

Aha, I missed that detail of the design. Case closed.

Thanks,
Diego

Thierry Boileau wrote:

> Hi Diego,
>
> if you set this boolean to false, then the behaviour is changed. You
> obtain a 403 status code when requesting with wrong credentials.
> You can have a look in the javadocs:
> http://www.restlet.org/documentation/1.1/api/org/restlet/Guard.html#isRechallengeEnabled()
>
> best regards,
> Thierry Boileau
>
>> Hi Thierry,
>>
>> Thanks for the test code. Try setting:
>> guard.setRechallengeEnabled(false);
>>
>> br,
>> Diego
>>
>> Thierry Boileau wrote:
>>  
>>> Hello Diego,
>>>
>>> I send you my sample code. I receive 401 status code when the
>>> authentication fails.
>>>  
>>> Best regards,
>>> Thierry Boileau
>>> --
>>> Restlet ~ Core developer ~ http://www.restlet.org <http://www.restlet.org/>
>>> Noelios Technologies ~ Co-founder ~ http://www.noelios.com
>>> <http://www.noelios.com/>
>>>    
>>>> Hi Stephan, Thierry,
>>>>
>>>> Thanks for the answers, but.. er.. I'm using 1.1.1 fresh from maven
>>>> repo. Sources pulled from there too. And I am overriding the forbid
>>>> method, which in 1.1.1 returns CLIENT_ERROR_FORBIDDEN. Check here:
>>>>
>>>> http://restlet.tigris.org/source/browse/restlet/tags/1.1/1.1.1/modules/org.restlet/src/org/restlet/Guard.java?rev=3933&view=markup
>>>>
>>>> br,
>>>> Diego
>>>>
>>>> Thierry Boileau wrote:
>>>>  
>>>>      
>>>>> Hello Diego,
>>>>>
>>>>> I suppose you are running with Restlet 1.0, since Restlet 1.1 behaves
>>>>> differently (returns 401 status).
>>>>> We think that this behaviour won't be changed in the future.
>>>>> Thus, we kindly encourage you to use Restlet 1.1 or create a subclass
>>>>> and override the "forbid" method (which sets the 403 status).
>>>>>
>>>>> Best regards,
>>>>> Thierry Boileau
>>>>> --
>>>>> Restlet ~ Core developer ~ http://www.restlet.org <http://www.restlet.org/>
>>>>> Noelios Technologies ~ Co-founder ~ http://www.noelios.com
>>>>> <http://www.noelios.com/>
>>>>>
>>>>>  
>>>>>
>>>>>    
>>>>>        
>>>>>> Hello,
>>>>>>
>>>>>> By default Guard returns 403 (forbidden) if authentication fails?
>>>>>> Shouldn't it be 401?
>>>>>>
>>>>>> 401: The request requires user authentication
>>>>>> 403: request, but is refusing to fulfill it as it could be explained in
>>>>>> the entity.
>>>>>>
>>>>>> br,
>>>>>> DIego
>>>>>>  
>>>>>>      
>>>>>>          
>>
>>