These are chat archives for spring-guides/tut-spring-security-and-angular-js

26th
Jun 2015
Pedro Vilaça
@pmvilaca
Jun 26 2015 17:29
@dsyer just moved to this room..
just to share the question.. I was asking what happens if the ui-server goes down.. as we’re keeping the token inside the http session on that service
just asking because I cannot see any additional cookie/header that will be used when the user will be redirected to the authorization server again
Dave Syer
@dsyer
Jun 26 2015 17:33
The user will have a session with the Auth server
That cookie you mean?
Pedro Vilaça
@pmvilaca
Jun 26 2015 17:33
@dsyer let me confirm
Pedro Vilaça
@pmvilaca
Jun 26 2015 17:40
the thing that I’m not getting is how the jsession id that is being passed for the ui-server and for the auth server is the same
Dave Syer
@dsyer
Jun 26 2015 17:40
It's not
Pedro Vilaça
@pmvilaca
Jun 26 2015 17:41
well.. maybe it’s chrome that is confusing me
Dave Syer
@dsyer
Jun 26 2015 17:41
But if you're signed into the Auth server and you already have an access token you can get a new UI session with just 2 redirects
Pedro Vilaça
@pmvilaca
Jun 26 2015 17:41
because I see that the request for :8080/login
Dave Syer
@dsyer
Jun 26 2015 17:42
The user probably won't even notice if it's XHR
Pedro Vilaça
@pmvilaca
Jun 26 2015 17:42
that returns a redirect to the auth server
is showing the same cookies
Dave Syer
@dsyer
Jun 26 2015 17:42
Same as what?
Dave Syer
@dsyer
Jun 26 2015 17:44
So what? You have a cookie for the UI
Is that the old one that isn't valid any more?
Pedro Vilaça
@pmvilaca
Jun 26 2015 17:45
yes
Dave Syer
@dsyer
Jun 26 2015 17:45
Right, so when the browser presents that it's unauthenticated so you get a 302
The 302 goes to the Auth server with a different cookie
And you get sent right back with an Auth code
At which point you are authenticated
Pedro Vilaça
@pmvilaca
Jun 26 2015 17:47
"The 302 goes to the Auth server with a different cookie"
that is the thing that I’m not seeing
Dave Syer
@dsyer
Jun 26 2015 17:48
Maybe your cookies are fubar
Pedro Vilaça
@pmvilaca
Jun 26 2015 17:48
so, that is my doubt
Dave Syer
@dsyer
Jun 26 2015 17:48
Does the Auth server cookie look different if you look in the browser dev tools?
Where is the Auth server running?
Pedro Vilaça
@pmvilaca
Jun 26 2015 17:49
let me check.. all the services are running on my local machine
Dave Syer
@dsyer
Jun 26 2015 17:50
The Auth server needs to send cookies with a different path
Usually I do that by running it with custom context path
You should be able to see that in the browser tools
Pedro Vilaça
@pmvilaca
Jun 26 2015 17:51
I’m using the demo app
so the auth server is under a different path
/uua
Dave Syer
@dsyer
Jun 26 2015 17:52
The the cookie should show up as different
Pedro Vilaça
@pmvilaca
Jun 26 2015 17:52
the first 2 failures happened after a logout
and the 2nd login was triggered by me
Dave Syer
@dsyer
Jun 26 2015 17:53
There's no cookie there with a path of /uaa right?
Pedro Vilaça
@pmvilaca
Jun 26 2015 17:53
and then the 3rd request to the auth server succeed
right
Dave Syer
@dsyer
Jun 26 2015 17:53
So you're not authenticated with /uaa
Maybe you logged out?
Pedro Vilaça
@pmvilaca
Jun 26 2015 17:54
the flow was..
Dave Syer
@dsyer
Jun 26 2015 17:54
Cookies are fubar
Pedro Vilaça
@pmvilaca
Jun 26 2015 17:54
I logged out
using the logout button
and then clicked on the login button
refresh the page
Dave Syer
@dsyer
Jun 26 2015 17:55
Does logout log you out of the UAA?
Pedro Vilaça
@pmvilaca
Jun 26 2015 17:55
and I got authenticated again without filling the username/password
Dave Syer
@dsyer
Jun 26 2015 17:55
Ok then it doesn't
Pedro Vilaça
@pmvilaca
Jun 26 2015 17:55
so, I need to be authenticated in the UUA
Dave Syer
@dsyer
Jun 26 2015 17:56
Actually if the UAA is using HTTP basic your browser probably remembers the creds
Pedro Vilaça
@pmvilaca
Jun 26 2015 17:56
the thing that I’m trying to understand, is how is it possible to work if I don’t have a specific cookie for /uua
ah..
Dave Syer
@dsyer
Jun 26 2015 17:57
In the general case though there will be a cookie
Pedro Vilaça
@pmvilaca
Jun 26 2015 17:57
that should be created after the request to the auth server?
when it’s redirecting to the /login with the code param?
Dave Syer
@dsyer
Jun 26 2015 18:00
After you authenticate with the Auth server you get a cookie
so, the response of this request should set a cookie, right?
Pedro Vilaça
@pmvilaca
Jun 26 2015 18:10
@dsyer I think that I found the problem
I changed the AuthServer config to enable the autoApprove
and somehow, that is causing the behaviour that I’ve described
Dave Syer
@dsyer
Jun 26 2015 18:39
OK. What change did you make? Push the code to github and I'll have a look on monday