16 Sep
2014
16 Sep
'14
9:42 a.m.
Hello,
There are a tiny "issue" to fix in default xwiki.cfg:
#-# HTTP status code to sent when the authentication failed.
xwiki.authentication.unauthorized_code=200
I think 401 (OR 403) is more appropriate, isn't it?
wdyt?
Thxs
Pascal B
16 Sep
16 Sep
9:55 a.m.
New subject: [xwiki-devs] A quick tiny "issue" to fix in 6.2RC1
This is indeed very weird.
Note that I just tested to fail the login and got 403 so additionally
it's not really fully taken into account (I don't really see the point
of making it configurable anyway).
Would be great if you could create an issue on http://jira.xwiki.org.
On Tue, Sep 16, 2014 at 9:42 AM, Pascal BASTIEN <pbasnews-xwiki(a)yahoo.fr> wrote:
Hello,
There are a tiny "issue" to fix in default xwiki.cfg:
#-# HTTP status code to sent when the authentication failed.
xwiki.authentication.unauthorized_code=200
I think 401 (OR 403) is more appropriate, isn't it?
wdyt?
Thxs
Pascal B
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
--
Thomas Mortagne
10:10 a.m.
New subject: [xwiki-devs] A quick tiny "issue" to fix in 6.2RC1
In this case if it is not taken into account you can remove it? Or perhaps it depends of
authentication choice?
I suppose it was configurable because there was a need (like monitoring by example)?
________________________________
De : Thomas Mortagne <thomas.mortagne(a)xwiki.com>
À : Pascal BASTIEN <pbasnews-xwiki(a)yahoo.fr>fr>; XWiki Developers
<devs(a)xwiki.org>
Envoyé le : Mardi 16 septembre 2014 9h55
Objet : Re: [xwiki-devs] A quick tiny "issue" to fix in 6.2RC1
This is indeed very weird.
Note that I just tested to fail the login and got 403 so additionally
it's not really fully taken into account (I don't really see the point
of making it configurable anyway).
Would be great if you could create an issue on http://jira.xwiki.org.
On Tue, Sep 16, 2014 at 9:42 AM, Pascal BASTIEN <pbasnews-xwiki(a)yahoo.fr> wrote:
Hello,
There are a tiny "issue" to fix in default xwiki.cfg:
#-# HTTP status code to sent when the authentication failed.
xwiki.authentication.unauthorized_code=200
I think 401 (OR 403) is more appropriate, isn't it?
wdyt?
Thxs
Pascal B
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
--
Thomas Mortagne
10:12 a.m.
New subject: [xwiki-devs] A quick tiny "issue" to fix in 6.2RC1
I can find it in the code but did not analyzed exactly in which use
case it's really used and how.
On Tue, Sep 16, 2014 at 10:10 AM, Pascal BASTIEN
<pbasnews-xwiki(a)yahoo.fr> wrote:
In this case if it is not taken into account you can
remove it? Or perhaps
it depends of authentication choice?
I suppose it was configurable because there was a need (like monitoring by
example)?
________________________________
De : Thomas Mortagne <thomas.mortagne(a)xwiki.com>
À : Pascal BASTIEN <pbasnews-xwiki(a)yahoo.fr>fr>; XWiki Developers
<devs(a)xwiki.org>
Envoyé le : Mardi 16 septembre 2014 9h55
Objet : Re: [xwiki-devs] A quick tiny "issue" to fix in 6.2RC1
This is indeed very weird.
Note that I just tested to fail the login and got 403 so additionally
it's not really fully taken into account (I don't really see the point
of making it configurable anyway).
Would be great if you could create an issue on http://jira.xwiki.org.
On Tue, Sep 16, 2014 at 9:42 AM, Pascal BASTIEN <pbasnews-xwiki(a)yahoo.fr>
wrote:
--
Thomas Mortagne
Hello,
There are a tiny "issue" to fix in default xwiki.cfg:
#-# HTTP status code to sent when the authentication failed.
xwiki.authentication.unauthorized_code=200
I think 401 (OR 403) is more appropriate, isn't it?
wdyt?
Thxs
Pascal B
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
--
Thomas Mortagne
10:18 a.m.
New subject: [xwiki-devs] A quick tiny "issue" to fix in 6.2RC1
http://jira.xwiki.org/browse/XWIKI-11038
________________________________
De : Thomas Mortagne <thomas.mortagne(a)xwiki.com>
À : Pascal BASTIEN <pbasnews-xwiki(a)yahoo.fr>
Cc : XWiki Developers <devs(a)xwiki.org>
Envoyé le : Mardi 16 septembre 2014 10h12
Objet : Re: [xwiki-devs] A quick tiny "issue" to fix in 6.2RC1
I can find it in the code but did not analyzed exactly in which use
case it's really used and how.
On Tue, Sep 16, 2014 at 10:10 AM, Pascal BASTIEN
<pbasnews-xwiki(a)yahoo.fr> wrote:
In this case if it is not taken into account you can
remove it? Or perhaps
it depends of authentication choice?
I suppose it was configurable because there was a need (like monitoring by
example)?
________________________________
De : Thomas Mortagne <thomas.mortagne(a)xwiki.com>
À : Pascal BASTIEN <pbasnews-xwiki(a)yahoo.fr>fr>; XWiki Developers
<devs(a)xwiki.org>
Envoyé le : Mardi 16 septembre 2014 9h55
Objet : Re: [xwiki-devs] A quick tiny "issue" to fix in 6.2RC1
This is indeed very weird.
Note that I just tested to fail the login and got 403 so additionally
it's not really fully taken into account (I don't really see the point
of making it configurable anyway).
Would be great if you could create an issue on http://jira.xwiki.org.
On Tue, Sep 16, 2014 at 9:42 AM, Pascal BASTIEN <pbasnews-xwiki(a)yahoo.fr>
wrote:
--
Thomas Mortagne
Hello,
There are a tiny "issue" to fix in default xwiki.cfg:
#-# HTTP status code to sent when the authentication failed.
xwiki.authentication.unauthorized_code=200
I think 401 (OR 403) is more appropriate, isn't it?
wdyt?
Thxs
Pascal B
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
--
Thomas Mortagne
10:22 a.m.
New subject: [xwiki-devs] A quick tiny "issue" to fix in 6.2RC1
Thanks.
On Tue, Sep 16, 2014 at 10:18 AM, Pascal BASTIEN
<pbasnews-xwiki(a)yahoo.fr> wrote:
http://jira.xwiki.org/browse/XWIKI-11038
________________________________
De : Thomas Mortagne <thomas.mortagne(a)xwiki.com>
À : Pascal BASTIEN <pbasnews-xwiki(a)yahoo.fr>
Cc : XWiki Developers <devs(a)xwiki.org>
Envoyé le : Mardi 16 septembre 2014 10h12
Objet : Re: [xwiki-devs] A quick tiny "issue" to fix in 6.2RC1
I can find it in the code but did not analyzed exactly in which use
case it's really used and how.
On Tue, Sep 16, 2014 at 10:10 AM, Pascal BASTIEN
<pbasnews-xwiki(a)yahoo.fr> wrote:
--
Thomas Mortagne
In this case if it is not taken into account you
can remove it? Or perhaps
it depends of authentication choice?
I suppose it was configurable because there was a need (like monitoring by
example)?
________________________________
De : Thomas Mortagne <thomas.mortagne(a)xwiki.com>
À : Pascal BASTIEN <pbasnews-xwiki(a)yahoo.fr>fr>; XWiki Developers
<devs(a)xwiki.org>
Envoyé le : Mardi 16 septembre 2014 9h55
Objet : Re: [xwiki-devs] A quick tiny "issue" to fix in 6.2RC1
This is indeed very weird.
Note that I just tested to fail the login and got 403 so additionally
it's not really fully taken into account (I don't really see the point
of making it configurable anyway).
Would be great if you could create an issue on http://jira.xwiki.org.
On Tue, Sep 16, 2014 at 9:42 AM, Pascal BASTIEN <pbasnews-xwiki(a)yahoo.fr>
wrote:
--
Thomas Mortagne
Hello,
There are a tiny "issue" to fix in default xwiki.cfg:
#-# HTTP status code to sent when the authentication failed.
xwiki.authentication.unauthorized_code=200
I think 401 (OR 403) is more appropriate, isn't it?
wdyt?
Thxs
Pascal B
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
--
Thomas Mortagne
9:12 p.m.
This is sent for "failed login" errors [1]. IIRC, I might have changed
this value sometime in... 2006? The reason was that links (the browser)
was displaying a BASIC login prompt which prevented the HTML login form
from working, and the BASIC auth doesn't work unless the URL also
contains basicauth=1.
The status codes affect the current HTTP request, and the action is to
submit (bad) authentication credentials. I don't think using 401 or 403
is correct:
- 401: am I required to log in before submitting my credentials?
- 403: am I forbidden from submitting my credentials?
I checked a few other sites, and they all use 200 when providing wrong
passwords.
[1]
https://github.com/xwiki/xwiki-platform/blob/master/xwiki-platform-core/xwi…
On 09/16/2014 03:42 AM, Pascal BASTIEN wrote:
Hello,
There are a tiny "issue" to fix in default xwiki.cfg:
#-# HTTP status code to sent when the authentication failed.
xwiki.authentication.unauthorized_code=200
I think 401 (OR 403) is more appropriate, isn't it?
wdyt?
Thxs
--
Sergiu Dumitriu
http://purl.org/net/sergiu
17 Sep
17 Sep
8:57 a.m.
Hello,
Thxs a lot for your answer, (It is not very important) but I do not have the same opinion:
http://www.w3schools.com/tags/ref_httpmessages.asp indicate:
2xx: Successful: 200 "The request is OK (this is the standard response for successful
HTTP requests)
4xx: Client Error
401 Unauthorized The request was a legal request, but the server is refusing to
respond to it. For use when authentication is possible but has failed or not yet been
provided
403 Forbidden The request was a legal request, but the server is refusing to respond
to it
Of course, there are some web site who's doesn't respect w3c but if I'm
looking for this term on google:
http status "failed login"
and I obtain 4xx code.
But i repeat I think is is not important ... except for my web center admin ;-)
It doesn't matter because every admin can modify this parameter :-)
Pascal B.
________________________________
De : Sergiu Dumitriu <sergiu(a)xwiki.org>
À : Pascal BASTIEN <pbasnews-xwiki(a)yahoo.fr>fr>; XWiki Developers
<devs(a)xwiki.org>
Envoyé le : Mardi 16 septembre 2014 21h12
Objet : Re: [xwiki-devs] A quick tiny "issue" to fix in 6.2RC1
This is sent for "failed login" errors [1]. IIRC, I might have changed
this value sometime in... 2006? The reason was that links (the browser)
was displaying a BASIC login prompt which prevented the HTML login form
from working, and the BASIC auth doesn't work unless the URL also
contains basicauth=1.
The status codes affect the current HTTP request, and the action is to
submit (bad) authentication credentials. I don't think using 401 or 403
is correct:
- 401: am I required to log in before submitting my credentials?
- 403: am I forbidden from submitting my credentials?
I checked a few other sites, and they all use 200 when providing wrong
passwords.
[1]
https://github.com/xwiki/xwiki-platform/blob/master/xwiki-platform-core/xwi…
On 09/16/2014 03:42 AM, Pascal BASTIEN wrote:
Hello,
There are a tiny "issue" to fix in default xwiki.cfg:
#-# HTTP status code to sent when the authentication failed.
xwiki.authentication.unauthorized_code=200
I think 401 (OR 403) is more appropriate, isn't it?
wdyt?
Thxs
--
Sergiu Dumitriu
http://purl.org/net/sergiu
3705
days inactive
3706
days old
7 comments
3 participants
participants (3)
-
Pascal BASTIEN -
Sergiu Dumitriu -
Thomas Mortagne