Critical Description
When using CURL, I am able to by pass the Auth-Token (with cookies);
Doing a login:
curl -3 -v --cookie-jar newcookies.txt -H "Accept: application/json" -H "Content-type: application/json" -X POST https://todo-aerogear.rhcloud.com/todo-server/auth/login -d '{"username":"john","password":"123"}'
Getting a response, with the new Auth-Token:
< HTTP/1.1 200 OK < Date: Fri, 12 Apr 2013 15:09:53 GMT < Server: Apache-Coyote/1.1 < Auth-Token: 6f5b8b84-f872-428d-8ee0-a516610d30e4 < Content-Type: application/json;charset=UTF-8 < Content-Length: 46 * Added cookie JSESSIONID="AWxvYeSr0nin0AE+XdotWsQd" for domain todo-aerogear.rhcloud.com, path /todo-server, expire 0 < Set-Cookie: JSESSIONID=AWxvYeSr0nin0AE+XdotWsQd; Path=/todo-server < Vary: Accept-Encoding < * Connection #0 to host todo-aerogear.rhcloud.com left intact {"username":"john","roles":["admin","simple"]}* Closing connection #0
Now, accessing a proctected resource, using the cookies but an invalid Auth-Token:
curl -3 -v --cookie newcookies.txt -H "Accept: application/json" -H "Content-type: application/json" --header "Auth-Token: I_AM_WRONG" -X GET https://todo-aerogear.rhcloud.com/todo-server/tags
I am getting a 200 response of the endpoint:
> GET /todo-server/tags HTTP/1.1
> User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5
> Host: todo-aerogear.rhcloud.com
> Cookie: JSESSIONID=AWxvYeSr0nin0AE+XdotWsQd
> Accept: application/json
> Content-type: application/json
> Auth-Token: I_AM_WRONG
>
< HTTP/1.1 200 OK
< Date: Fri, 12 Apr 2013 15:10:03 GMT
< Server: Apache-Coyote/1.1
< Content-Type: application/json;charset=UTF-8
< Vary: Accept-Encoding
< Transfer-Encoding: chunked
<
* Connection #0 to host todo-aerogear.rhcloud.com left intact
[{"id":1,"title":"asdf","style":"tag-79-33-196","tasks":[1]},{"id":2,"title":"dadasdasdas","style":"tag-255-255-255","tasks":[]}]* Closing connection #0
* SSLv3, TLS alert, Client hello (1):