Bug 804661
Summary: | rubygem-thin server does not respond correctly with 401, missing WWW-Authenticate header | ||||||
---|---|---|---|---|---|---|---|
Product: | [Retired] CloudForms Cloud Engine | Reporter: | Brad P. Crochet <brad> | ||||
Component: | aeolus-conductor | Assignee: | Angus Thomas <athomas> | ||||
Status: | CLOSED EOL | QA Contact: | Rehana <aeolus-qa-list> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 1.0.0 | CC: | athomas, bkearney, hbrock, lzap, morazi | ||||
Target Milestone: | rc | Keywords: | Triaged | ||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | Type: | --- | |||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Brad P. Crochet
2012-03-19 14:26:49 UTC
Is this really a bug in Thin? If so it's too late to do anything about it for 1.0. If it's actually an app server or app bug, maybe we have scope to fix it. Could someone on the katello team please have a look? It might be configurable from our end, I'll let dev comment on that. We have other clients, that seem to not mind this problem (RHSM, automation with curl, automation with apache HTTP client). I haven't watched the HTTP traffic enough to know if they just don't care about the missing header, or if they provide credentials on the first request. I am 90% sure it's the latter. So that seems like a simple workaround. If it is a security issue to send auth on the first request, and RHSM is doing that, we may need to fix that also. Mike, can you comment on this RC blocker please? Pushing to 1.1. Created attachment 582134 [details]
Patch for Katello to set WWW-Authentication header in case no credentials provided
I don't think it's a problem of thin itself. The itself application has to determine whether the credentials were sent or not. In Katello there is possibility to authenticate using client certificates as well. Warden is used for this purpose in Katello and it's quite easy to set the required header in case no credentials provided. See the patch.
I believe this was fixed in SE with https://bugzilla.redhat.com/show_bug.cgi?id=817946 |