Uploaded image for project: 'Service Packs and Hot Fixes'
  1. Service Packs and Hot Fixes
  2. MNT-13150

Web Scripts ignores correct credential provided by user, continues to use expired or invalid ALF_TICKET and at the same time repeatedly prompts for another credential input

    Details

      Description

      Web Scripts ignores correct credential provided by user, continues to use expired or invalid ALF_TICKET and at the same time repeatedly prompts for another credential input

      [Steps to reproduce]

      1. In a browser, go to any GET web script with an expired or invalid ALF_TICKET in the URL parameter. For example:

      http://localhost:8080/alfresco/service/enterprise/admin/admin-repositoryinfo?alf_ticket=TICKET_bdbe7fe6774d475e757ba118757c2e990adb3b9d

      2. The browser would prompt you to enter an admin username and password for Basic HTTP Authentication in a pop up screen, so enter an admin username and password and click OK.

      [Actual result]
      The browser repeatedly prompts for an username and password even after the user has correctly entered a valid admin credential. The system ignores the user's credential input and continues to use the expired or invalid ALF_TICKET.

      [Expected result]
      Alfresco does not ignore credential entered by user and does not prompt for a credential over and over again.

      ALF_TICKET provided by Alfresco is a convenient way for users to not to have to re-authenticate via Basic HTTP Authentication every time a web script page is requested, however, users may also bookmark a Web Script URL with an ALF_TICKET parameter. Upon clicking the URL after the session expired, the browser just repeatedly prompts for his credential without actually taking him to the page.

      [Proposed Workaround]
      The issue can be easily rectified by modifying BasicHttpAuthenticatorFactory.java as shown in the attachment BasicHttpAuthenticatorFactory_proposal.java. When the code checks for the ALF_TICKET and found it has expired, it should also check whether the user has provided an authentication credential via the browser pop-up screen. If it has, it should try to do a secondary authentication against the credential provided.

      The problem here is that a pop-up screen is thrown at the user for his credential, but Alfresco ignores it, and hence goes the point of asking for one in the first place.

        Attachments

          Issue Links

            Structure

              Activity

                People

                • Assignee:
                  closedbugs Closed Bugs
                  Reporter:
                  ctan Craig Tan
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  6 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Time Tracking

                    Estimated:
                    Original Estimate - Not Specified
                    Not Specified
                    Remaining:
                    Remaining Estimate - 0 minutes
                    0m
                    Logged:
                    Time Spent - 3 hours, 30 minutes
                    3h 30m

                      Structure Helper Panel