Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Description

None

Conclusion

None

Attachments

1

Activity

Show:

Kanghua Wang February 15, 2018 at 7:03 PM

, please correct me if I do not understand correctly: we should send 401 (not redirect to the login page) for any REST type call if authentication fails. The following rules are used to detect  a REST type call.

  1. Any HTTP POST request;

  2. Any request which has a BasicAuthentication header;

  3. Any CORS calls (any request which has an Origin header).

Anthony Fishbeck February 15, 2018 at 2:56 PM

lets discuss this afternoon and see if we can improve on

  1. what causes redirect.

  2. what is treated as REST client calls.

Kanghua Wang February 15, 2018 at 2:17 PM

That is because ESP allows a client to get the 'resource' files from predefined locations. The default settings of the locations include: esp/files/. So, the 200 OK is sent for http://192.168.3.22:8010/esp/files/stub.htm.

Gordon Smith February 15, 2018 at 8:27 AM
Edited

Quick follow up - what I am seeing is the opposite of what I would expect:

When the request is the main landing page, there is no redirect:

Request URL:http://192.168.3.22:8010/esp/files/stub.htm Request Method:GET Status Code:200 OK Remote Address:192.168.3.22:8010 Referrer Policy:no-referrer-when-downgrade

But as soon as the first REST style request is made:

Request URL:http://192.168.3.22:8010/ws_machine/GetComponentStatus.json Request Method:POST Status Code:302 Found Remote Address:192.168.3.22:8010 Referrer Policy:no-referrer-when-downgrade

Again IMO the redirect only makes sense when the requested resources is a html page.

Gordon Smith February 15, 2018 at 5:54 AM

How about only redirecting if its a "same-origin" request?

or alternatively only redirecting if:

  1. The request type is a GET

  2. The requested URLs pathname ends in ".html" or ".htm" etc. (we wouldn't want redirects for ".xsd" requests)

  3. The requested URLs pathname is blank.

 

FWIW I would probably be ok if there was no redirect on a POST / OPTIONS request, but that feels a bit specific.

 

 

Something went wrong on our end

If this keeps happening, share this information with your admin, who should contact support.

Hash 1GILD5Q Trace 9de878e632dc4cf8b7a090b9566d5dab
Pinned fields
Click on the next to a field label to start pinning.

Details

Components

Assignee

Kanghua Wang(Deactivated)

Reporter

Gordon Smith

Priority

Critical

Compatibility

Major

Fix versions

Pull Request URL

https://github.com/hpcc-systems/HPCC-Platform/pull/10918

Affects versions

Flag notifications