dhis2-devs team mailing list archive

[Jason Pickering <jason.p.pickering@xxxxxxxxx>]

Just to try and make it a bit more clear Morten, I think this is the issue
Rangarai is asking about is  below:

In 2.29 and 2.28, an unauthorized username/password returns a 302.

curl -I -u admin:distric -H 'Accept: application/json'
https://play.dhis2.org/2.29/api/me
HTTP/1.1 302
Server: nginx/1.4.6 (Ubuntu)
Date: Sat, 21 Apr 2018 06:44:10 GMT
Content-Length: 0
Connection: keep-alive
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Location: https://play.dhis2.org/2.29/dhis-web-commons/security/login.action


In 2.27, this same request returns a 401.

curl -I -u admin:distric -H 'Accept: application/json'
https://play.dhis2.org/2.27/api/me
HTTP/1.1 401
Server: nginx/1.4.6 (Ubuntu)
Date: Sat, 21 Apr 2018 06:44:27 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 1071
Connection: keep-alive
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Set-Cookie: JSESSIONID=05596EBFC26A7C1843D298E98619C7FB; Path=/2.27;
HttpOnly
WWW-Authenticate: Basic realm="DHIS2"
Content-Language: en


On Fri, Apr 20, 2018 at 1:40 PM, Rangarirai Matavire <matavirer@xxxxxxxxx>
wrote:

> Hi Morten,
>
> The password is set wrong deliberately so as to get a 401 or other
> response. The problem is when you set the wrong password or username you
> get endless redirects from the API.
>
> Regards,
>
>
> On Fri, Apr 20, 2018 at 1:24 PM, Morten Olav Hansen <morten@xxxxxxxxx>
> wrote:
>
>> It should be district, not distric... but also people keep changing our
>> internal passwords (our database resets every 24 hour)
>>
>> --
>> Morten Olav Hansen
>> Senior Engineer, DHIS 2
>> University of Oslo
>> http://www.dhis2.org
>>
>> On Fri, Apr 20, 2018 at 12:09 PM, Rangarirai Matavire <
>> matavirer@xxxxxxxxx> wrote:
>>
>>> By the way, its not just the error response code that is worrying, but
>>> also the loop of redirects that starts, this makes it difficult to handle
>>> the response for an http client. To see this loop of redirects, you can add
>>> -L to curl as below.
>>>
>>> curl -I -L -u admin:distric -H 'Accept: application/json'
>>> https://play.dhis2.org/2.28/api/me
>>>
>>> I think this behaviour should be corrected as it may lead to unexpected
>>> behaviour of apps.
>>>
>>> Regards
>>>
>>> On Wed, Apr 18, 2018 at 11:10 PM, Rangarirai Matavire <
>>> matavirer@xxxxxxxxx> wrote:
>>>
>>>> Hi Devs,
>>>>
>>>> I am wondering whether the behaviour I am seeing is a bug or something
>>>> to be expected due to some change.
>>>>
>>>> When I run the following curl command:
>>>>
>>>> curl -I -u admin:distric -H 'Accept: application/json'
>>>> https://play.dhis2.org/2.29/api/me
>>>>
>>>> I get an HTTP 302 response. Note that I have deliberately set the
>>>> password wrong so I can mock a 401 unauthorized response. I get the same
>>>> response when I run the command on version 2.28. However, as expected, when
>>>> I run it on 2.27, 2.26 etc I get a 401 HTTP response.
>>>>
>>>> I hope someone can assist.
>>>>
>>>> Regards,
>>>>
>>>> Ranga
>>>>
>>>
>>>
>>> _______________________________________________
>>> Mailing list: https://launchpad.net/~dhis2-devs
>>> Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
>>> Unsubscribe : https://launchpad.net/~dhis2-devs
>>> More help   : https://help.launchpad.net/ListHelp
>>>
>>>
>>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~dhis2-devs
> Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~dhis2-devs
> More help   : https://help.launchpad.net/ListHelp
>
>


-- 
Jason P. Pickering
email: jason.p.pickering@xxxxxxxxx
tel:+46764147049