Uploaded image for project: 'Sakai'
  1. Sakai
  2. SAK-23678

Do not send 200 OK with auth page in response to unauthenticated byte-range requests

    Details

    • 2.9 Status:
      Resolved

      Description

      In some cases, a browser can send a partial-content request (byte-range request with the Range: header) for a resource for which the user is not authenticated. This has been seen especially with recent versions of Chrome.

      For example:

      • User logs in, opens a PDF or PPT in another tab, logs out in original tab, continues to scroll through the PDF/PPT in the second tab.
      • The browser sends Range: requests for partial content, but the user is no longer authenticated.

      Sakai currently sends back an HTTP 200 OK response with an authentication page. This makes no sense for a byte-range request, because the requested bytes are not being sent back, and these requests typically come from embedded viewers so the browser is not prepared to actually show this auth page to the user. Chrome seems to repeat the request indefinitely.

      In addition, the apache 2.2 / mod_jk combination appears to change the Tomcat 200 response into a 416 response (range not satisfiable) which is a reasonable reaction because the request asked for a particular byte range, but instead a short auth page has been returned which does not satisfy the request.

      A correct response is to issue either a 401 unauthorized (if basic auth could possibly succeed) or 403 forbidden request.

      The attached patch implements this.

      Here are sample test cases which show the appropriate response (with this patch) for a variety of different request types.

      1. byte-range with no auth and curl user-agent

      curl --noproxy sakai.some.domain --verbose --insecure --output /dev/null --continue-at 3000 https://sakai.some.domain/access/content/group/996b25c5-9d5f-4dba-9c7a-507e4862c578/VULA-1928.pdf

      Expected: 401 unauthorized

      2. byte-range with a browser UA

      curl --noproxy sakai.some.domain --verbose --insecure --output /dev/null --user-agent "Mozilla" --continue-at 3000 https://sakai.some.domain/access/content/group/996b25c5-9d5f-4dba-9c7a-507e4862c578/VULA-1928.pdf

      Expected: 403 forbidden

      3.byte-range with a browser UA and basic auth requested

      curl --noproxy sakai.some.domain --verbose --insecure --output /dev/null --user-agent "Mozilla" --continue-at 3000 https://sakai.some.domain/access/content/group/996b25c5-9d5f-4dba-9c7a-507e4862c578/VULA-1928.pdf?__auth=basic

      expected: 401 unauthorized

      4.full request with a browser UA

      curl --noproxy sakai.some.domain --verbose --insecure --output /dev/null --user-agent "Mozilla" https://sakai.some.domain/access/content/group/996b25c5-9d5f-4dba-9c7a-507e4862c578/VULA-1928.pdf

      expected: 200 OK with an auth page

      5. full request with basic auth details in header

      curl --noproxy sakai.some.domain --verbose --insecure --output /dev/null --user-agent "Mozilla" --user username:password https://sakai.some.domain/access/content/group/996b25c5-9d5f-4dba-9c7a-507e4862c578/VULA-1928.pdf

      expected: 200 OK with an auth page

      6. full request with basic auth details in header and requested in URL

      curl --noproxy sakai.some.domain --verbose --insecure --output /dev/null --user-agent "Mozilla" --user username:password https://sakai.some.domain/access/content/group/996b25c5-9d5f-4dba-9c7a-507e4862c578/VULA-1928.pdf?__auth=basic

      expected: 200 OK with full file

      7. full request with basic auth details in header and non-browser UA

      curl --noproxy sakai.some.domain --verbose --insecure --output /dev/null --user-agent "curl" --user username:password https://sakai.some.domain/access/content/group/996b25c5-9d5f-4dba-9c7a-507e4862c578/VULA-1928.pdf

      expected: 200 OK with full file

      8. byte-range with a script UA and basic auth headers supplied

      curl --noproxy sakai.some.domain --verbose --insecure --output /dev/null --user-agent "curl" --continue-at 3000 --user username:password https://sakai.some.domain/access/content/group/996b25c5-9d5f-4dba-9c7a-507e4862c578/VULA-1928.pdf

      expected: 206 partial content

        Gliffy Diagrams

          Zeplin

            Attachments

              Activity

                People

                Assignee:
                ottenhoff Sam Ottenhoff
                Reporter:
                smarquard Stephen Marquard
                Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved:

                    Git Integration