XQueryURLRewrite-Servlet initiates AuthorizationChallange when using external HTTP Basic-Authorization

@floerke commented on May 8, 2018, 8:36 AM UTC:

Hi eXist-Team,

What is the problem

If you have an external HTTP Basic-Authorization for your xquery-Application, eXist will send another HTTP-Basic Authorization to the user. The XQueryURLRewrite Servlet uses the BasicAuthenticator to check the "external HTTP Basic-Authorization" and will fail, because the external user is not known within eXist.

My wishes

A servlet parameter that makes the hard coded true within the XQueryURLRewrite Servlet would be fine.

requestUser = authenticator.authenticate(request, response, true);

=>

requestUser = authenticator.authenticate(request, response, sendChallenge);

Best regards,

Holger

This issue was moved by duncdrum from eXist-db/exist/issues/1861.

@dizzzz commented on May 8, 2018, 3:10 PM UTC:

For me it is not clear what the question is about, far too high level. Preferably please fill in the provided template. WHat do you technically see? what do you expect? do you have code available? curl output? etc etc?

@floerke commented on May 9, 2018, 7:13 AM UTC:

Hi,

thanks for your quick response. Sorry for providing not enough context information.

Reproduce

one simple xquery file e.g.:

test.xqy

xquery version "1.0";
declare option exist:serialize "method=text media-type=text/plain";
let $message := 'Hello World!'
return
   $message

lying in a tomcat hosted servlet with exist and xqueryurlrewrite properly configured. The servlet is mounted into an apache as a subdirectory below the server-root (e.g.: http://foo.bar/test/test.xqy).

The server root as a password protected html file with a link on the xquery. e.g.:
index.html:

<html>
<body>
<a href="test/test.xqy">test</a>
</body>
</html>

.htaccess:

AuthType Basic
AuthName "external"
AuthUserFile /etc/apache2/.htpasswd
require valid-user

If the user navigates to index.html, the browser asks for a username/password initiated by apache. The user provides the correct username and password, sees the index.html and clicks on "test" to execute the xquery script.

Then the user will be prompted for a password again. Although there is no explicit configured security for the simple xquery script. The last (http basic-) authorization is initiated by exist and - in my opinion - at least questionable. The user is able to cancel the authorization and the result is the "hello world".

I had a short glimpse into the source code. I think, the xqueryurlrewrite servlet from exist will initiate a basic authorization and prompt the user for a password, if any request contains a header field "Authorization" as long as the user is not known by exist. I suggest to make this behavior of the xqueryurlrewrite servlet configurable for deactivating the second authorization in the case of an "external" authorization instance.

Context information

• Implementation-Version: 4.0.0, Build-Timestamp: 201802140047, Git-Commit-Abbrev: cc66ebc
• Java version 8u171
• Linux
• 64 bit

Hopefully thinks are clearer now. Don't hesitate to ask for more information.

Holger

@adamretter commented on Jun 3, 2018, 11:10 AM UTC:

floerke If I understand, you are requesting a parameter to control the sendChallenge of XQueryURLRewrite here:

requestUser = authenticator.authenticate(request, response, sendChallenge);

If so, where should this parameter be set? i.e. should it be static in web.xml or somewhere else? Also how do you think such a parameter should be named?

@floerke commented on Jun 5, 2018, 7:19 AM UTC:

adamretter: A static parameter within the web.xml would be fine. Naming is difficult. "sendChallengeForHttpBasicAuth" is not true, because there could be other authentication mechanisms. A simple "sendChallenge" is a little bit meaningless. "ignoreExternalHttpAuth" describes it for me, but it is technical incorrect.

@duncdrum commented on Jun 5, 2018, 2:34 PM UTC:

floerke could you please take a look the documentation regarding authenticated xquery submissions here and submit a PR / raise an issue explaining the new abilities

@duncdrum commented on Jun 5, 2018, 4:18 PM UTC:

I ll close once we have the documentation, easier to keep track of that way

@floerke commented on Jun 6, 2018, 5:32 AM UTC:

👍

@adamretter commented on Jun 6, 2018, 7:27 AM UTC:

duncdrum I would like to close this here as I am moving milestones now. Can you open an issue on the documentation project and maybe paste a link to this issue in it?