Possible bug in the latest httpauthfilter for CP2.2.x

Hi Sylvain, et al...

I've been using the latest version in:
   htt
p://trac.defuze.org/browser/oss/httpauthfilter
under TurboGears 1.0b1 (TG) to provide Digest/Basic
Auth services.

I first noticed this under TG. I had setup TG/CP (prod.cfg)
to serve static content from:
   /root-of-tg-app/tgapp/prod.cfg
   /root-of-tg-app/tgapp/start-tgapp.py
   /root-of-tg-app/tgapp/tgapp/static/*.html
   /root-of-tg-app/tgapp/tgapp/static/css/*.css
etc., with (static-dir settings in prod.cfg):
   [global]
   static_filter.root =
"/root-of-tg-app/tgapp/tgapp"
   [/static]
   static_filter.on = True
   static_filter.root = "static"
   ......

Under the typical usage of:
   . valid login
   . valid homepage accessed, etc
everything works as expected. However if do the following:
   . Launch say, Firefox 2 and clear the cache
   . Access http://localhost:8080/
(home)
   . And click on the Cancel button twice (max tries),
     access is denied.
   . Now if I enter the url to a valid resouce under /static
     like say,
         "http://ocal
host:8080/static/css/style.css
     it does cause the browser to throw up the login popup
     twice (after Cancels).
   . But now, if refresh the page with that url still in the
     address bar, it throws the login box twice, but after
     the last Cacel-click, it actually displays the resource
     (style.css in this case)

So, it appears Digest/Basic  Auth is failing on static
content after repeated login cancellations. There is
no problem with dynamic content off Root controller.

This can be reproduced with the
"examplehttpauth.py"
also by doing the following:
   . Place the needed httpauth*.py files in your
       ...lib/python2.4/site-packages
   . place:
       <curr-dir>/examplehttpauth.py
   . create a folder structure with file like:
       <curr-dir>/static/style.css
   . Run:
       <curr-dir>/python examplehttpauth.py
   . Launch the browser and follow the steps listed above.
     style.css will be served even after login failure.

Thanks for looking into it.
Happy hols, all.

/venkat


--~--~---------~--~----~------------~-------~--~----~
 You received this message because you are subscribed to the
Google Groups "cherrypy-users" group.
To post to this group, send email to cherrypy-usersgooglegroups.com
To unsubscribe from this group, send email to
cherrypy-users-unsubscribegooglegroups.com
For more options, visit this group at http://groups-beta.google.com/group/cherrypy-users?hl=en

-~----------~----~----~----~------~----~------~--~---

I will look at it next week. Thanks for the report.

- Sylvain

venkatbo wrote:
> 
> Hi Sylvain, et al...
> 
> I've been using the latest version in:
>   htt
p://trac.defuze.org/browser/oss/httpauthfilter
> under TurboGears 1.0b1 (TG) to provide Digest/Basic
> Auth services.
> 
> I first noticed this under TG. I had setup TG/CP
(prod.cfg)
> to serve static content from:
>   /root-of-tg-app/tgapp/prod.cfg
>   /root-of-tg-app/tgapp/start-tgapp.py
>   /root-of-tg-app/tgapp/tgapp/static/*.html
>   /root-of-tg-app/tgapp/tgapp/static/css/*.css
> etc., with (static-dir settings in prod.cfg):
>   [global]
>   static_filter.root =
"/root-of-tg-app/tgapp/tgapp"
>   [/static]
>   static_filter.on = True
>   static_filter.root = "static"
>   ......
> 
> Under the typical usage of:
>   . valid login
>   . valid homepage accessed, etc
> everything works as expected. However if do the
following:
>   . Launch say, Firefox 2 and clear the cache
>   . Access http://localhost:8080/
(home)
>   . And click on the Cancel button twice (max tries),
>     access is denied.
>   . Now if I enter the url to a valid resouce under
/static
>     like say,
>         "http://ocal
host:8080/static/css/style.css
>     it does cause the browser to throw up the login
popup
>     twice (after Cancels).
>   . But now, if refresh the page with that url still in
the
>     address bar, it throws the login box twice, but
after
>     the last Cacel-click, it actually displays the
resource
>     (style.css in this case)
> 
> So, it appears Digest/Basic  Auth is failing on static
> content after repeated login cancellations. There is
> no problem with dynamic content off Root controller.
> 
> This can be reproduced with the
"examplehttpauth.py"
> also by doing the following:
>   . Place the needed httpauth*.py files in your
>       ...lib/python2.4/site-packages
>   . place:
>       <curr-dir>/examplehttpauth.py
>   . create a folder structure with file like:
>       <curr-dir>/static/style.css
>   . Run:
>       <curr-dir>/python examplehttpauth.py
>   . Launch the browser and follow the steps listed
above.
>     style.css will be served even after login failure.
> 
> Thanks for looking into it.
> Happy hols, all.
> 
> /venkat
> 
> 
> 

--~--~---------~--~----~------------~-------~--~----~
 You received this message because you are subscribed to the
Google Groups "cherrypy-users" group.
To post to this group, send email to cherrypy-usersgooglegroups.com
To unsubscribe from this group, send email to
cherrypy-users-unsubscribegooglegroups.com
For more options, visit this group at http://groups-beta.google.com/group/cherrypy-users?hl=en

-~----------~----~----~----~------~----~------~--~---