[Geoserver-devel] [jira] (GEOS-6076) j_spring_security_check does not Set-Cookie on first response anymore

Bart van den Eijnden created BugGEOS-6076
j_spring_security_check does not Set-Cookie on first response anymore

Issue Type:

BugBug

Affects Versions:

2.4.0

Assignee:

Andrea Aime

Components:

Security

Created:

07/Oct/13 10:22 AM

Description:

snippet for GeoServer 2.0 (btw 2.2 is the same):

bart-van-den-eijndens-macbook-pro:gxp bartvde$ curl --data ‘username=admin&password=xxxx’ “http://suite.opengeo.org/geoserver/j_spring_security_check” --verbose

  • About to connect() to suite.opengeo.org port 80 (#0)
  • Trying 184.154.70.215…
  • connected
  • Connected to suite.opengeo.org (184.154.70.215) port 80 (#0)
    > POST /geoserver/j_spring_security_check HTTP/1.1
    > User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8y zlib/1.2.5
    > Host: suite.opengeo.org
    > Accept: /
    > Content-Length: 29
    > Content-Type: application/x-www-form-urlencoded
    >
  • upload completely sent off: 29 out of 29 bytes
  • HTTP 1.0, assume close after body
    < HTTP/1.0 302 Moved Temporarily
    < Date: Thu, 03 Oct 2013 21:06:50 GMT
    < Server: Apache-Coyote/1.1
    < Location: http://suite.opengeo.org/geoserver/web
    < Content-Length: 0
    < Set-Cookie: JSESSIONID=161D8384AAB1D71F27DD49716A86419E; Path=/geoserver
    < Content-Type: text/plain
    < X-Cache: MISS from localhost
    < X-Cache-Lookup: MISS from localhost:3128
    < Via: 1.0 suite.opengeo.org, 1.1 localhost:3128 (squid/2.7.STABLE9)
    < Connection: close
    <
  • Closing connection #0

So basically the 302 response used to have the Set-Cookie header, but not anymore.

GeoServer 2.4, without -L:

bart-van-den-eijndens-macbook-pro:gxp bartvde$ curl --data “username=admin&password=geoserver” “http://localhost:8080/geoserver/j_spring_security_check” --verbose

  • About to connect() to localhost port 8080 (#0)
  • Trying ::1…
  • connected
  • Connected to localhost (::1) port 8080 (#0)
    > POST /geoserver/j_spring_security_check HTTP/1.1
    > User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8y zlib/1.2.5
    > Host: localhost:8080
    > Accept: /
    > Content-Length: 33
    > Content-Type: application/x-www-form-urlencoded
    >
  • upload completely sent off: 33 out of 33 bytes
    < HTTP/1.1 302 Found
    < Location: http://localhost:8080/geoserver/web
    < Content-Length: 0
    < Server: Jetty(6.1.8)
    <
  • Connection #0 to host localhost left intact
  • Closing connection #0

GeoServer 2.4 with -L :

bart-van-den-eijndens-macbook-pro:gxp bartvde$ curl --data “username=admin&password=geoserver” “http://localhost:8080/geoserver/j_spring_security_check” --verbose -L

  • About to connect() to localhost port 8080 (#0)
  • Trying ::1…
  • connected
  • Connected to localhost (::1) port 8080 (#0)
    > POST /geoserver/j_spring_security_check HTTP/1.1
    > User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8y zlib/1.2.5
    > Host: localhost:8080
    > Accept: /
    > Content-Length: 33
    > Content-Type: application/x-www-form-urlencoded
    >
  • upload completely sent off: 33 out of 33 bytes
    < HTTP/1.1 302 Found
    < Location: http://localhost:8080/geoserver/web
    < Content-Length: 0
    < Server: Jetty(6.1.8)
    <
  • Connection #0 to host localhost left intact
  • Issue another request to this URL: ‘http://localhost:8080/geoserver/web
  • Violate RFC 2616/10.3.3 and switch from POST to GET
  • Re-using existing connection! (#0) with host (nil)
  • Connected to (nil) (::1) port 8080 (#0)
    > GET /geoserver/web HTTP/1.1
    > User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8y zlib/1.2.5
    > Host: localhost:8080
    > Accept: /
    >
    < HTTP/1.1 302 Found
    < Location: http://localhost:8080/geoserver/web/;jsessionid=1wqm9pg9ek33w
    < Expires: Thu, 01 Jan 1970 00:00:00 GMT
    < Set-Cookie: JSESSIONID=1wqm9pg9ek33w;Path=/geoserver
    < Content-Length: 0
    < Server: Jetty(6.1.8)
    <
  • Connection #0 to host (nil) left intact
  • Issue another request to this URL: ‘http://localhost:8080/geoserver/web/;jsessionid=1wqm9pg9ek33w
  • Re-using existing connection! (#0) with host (nil)
  • Connected to (nil) (::1) port 8080 (#0)
    > GET /geoserver/web/;jsessionid=1wqm9pg9ek33w HTTP/1.1
    > User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8y zlib/1.2.5
    > Host: localhost:8080
    > Accept: /
    >
    < HTTP/1.1 200 OK
    < Content-Type: text/html; charset=utf-8
    < Content-Language: en-US
    < Pragma: no-cache
    < Cache-Control: no-cache, max-age=0, must-revalidate, no-store
    < Content-Length: 7899
    < Server: Jetty(6.1.8)
    <
    <!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN”
    http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>

Project:

GeoServer

Priority:

MajorMajor

Reporter:

Bart van den Eijnden

This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: [http://www.atlassian.com/software/jira](http://www.atlassian.com/software/jira)