Bill Shannon wrote:
> Kedar Mhaswade wrote on 09/16/09 16:09:
>> Shing Wai Chan wrote:
>>> Kedar Mhaswade wrote:
>>>> Shing Wai Chan wrote:
>>>>> Bill Shannon wrote:
>>>>>> Shing Wai Chan wrote on 09/16/09 14:20:
>>>>>>> Hi,
>>>>>>>
>>>>>>> I find that Admin GUI and (Admin CLI, REST) behave differently
>>>>>>> for admin user without password.
>>>>>>>
>>>>>>> Scenario 1:
>>>>>>> There is only one admin user with name "admin" without password.
>>>>>>> Admin GUI, CLI and REST do not prompt for the password.
>>>>>>>
>>>>>>> Scenario 2:
>>>>>>> There is only one admin user with name "anonymous" without
>>>>>>> password.
>>>>>>> Admin GUI does not prompt for the password.
>>>>>>> CLI and REST "do prompt" for the (empty) password.
>>>>>>>
>>>>>>> So, Admin GUI and (Admin CLI, REST) do behave differently.
>>>>>>> I think they should be consistent.
>>>>>>
>>>>>> How are you running the admin CLI? Are you specifying "--user
>>>>>> anonymous"?
>>>>>> Do you have AS_ADMIN_USER set in your environment? Do you have
>>>>>> an entry
>>>>>> in ~/.asadminpass for the server you're connecting to?
>>>>> I run the CLI as follows (no --user):
>>>>> asadmin list-components
>>>>>
>>>>> I do not set AS_ADMIN_USER
>>>>> In my ~/.asadminpass, it has the following:
>>>>> asadmin://admin_at_localhost:4848
>>>>
>>>> Right, this means that asadmin program is sending
>>>> "admin"/no-password to a server located at localhost:4848,
>>>> which like you said is configured for "anonymous"/no-password.
>>>>
>>>> If you remove that entry or remove/backup .asadminpass, you'll
>>>> see what you expect (assuming you don't do other things).
>>> In this case, how should we look at REST and admin GUI?
>>> Both are going through browser. One prompts for password, but not
>>> for the other.
>>
>> Well, Admin GUI and CLI are our clients, meaning we can write them so
>> they have in a certain manner. With a browser and HTTP/REST commands,
>> you don't have that luxury and standard 401/403 HTTP status codes
>> are sent by the backend that browser interprets in a standard way, in
>> this case by popping up a login dialog. I don't know how we can
>> make it better other than providing some JavaScript stuff.
>
> I'm not sure how authentication is done for the REST interface.
> If it goes through the GenericAdminAuthenticator it should work
> like the CLI.
>
> Possibly your browser has authentication information cached that
> it's sending on every request even though the server isn't asking
> for it? In that case, if it sends the wrong information then just
> like the CLI it's going to fail. If it sends *no* authentication
> information that we should be able to make it succeed just like
> the CLI.
No, I have restarted the browser. Anissa also confirmed that the admin
gui does not prompt for password for anonymous user.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: dev-help_at_glassfish.dev.java.net
>