Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

Java Development

Reply
Developer
knight9
Posts: 84
Registered: ‎09-21-2008
My Device: Not Specified
Accepted Solution

MDS Cache HTTP Basic Authentication

[ Edited ]

The MDS Simulator and BES implementation out there are caching basic authentication credentials and using them for future requests to our server, even when the client specifically changes the credentials in the request.

 

As seen on:

http://na.blackberry.com/eng/devjournals/resources/journals/oct_2004/understanding_mds.jsp#what_cach... .

 

User Information
As discussed in the previous section, MDS supports a variety of authentication schemes. In the situation where authentication is required, MDS will cache user credentials after a user is prompted for a username and password. The next time that user logs into the server and is challenged for a username and password, MDS will automatically authenticate the user with the cached credentials, removing the need for them to re-enter their credentials each time.

 

This is causing us a lot of issues because we require different credentials for different operations. We have tried setting the cahce-control directive on the requests to no-store, no-cache, must-revalidate however the MDS seems to ignore these directives. 

 

Is there a directive we can use on the connection string or in the HTTP header that will prevent the MDS from using the cached credentials?

Message Edited by knight9 on 02-07-2009 01:48 AM
Please use plain text.
Developer
RexDoug
Posts: 4,764
Registered: ‎07-21-2008
My Device: Not Specified

Re: MDS Cache HTTP Basic Authentication

Try setting your "modified since" to some date in the past, like this:

 

httpConnection.setRequestProperty("If-Modified-Since", "29 Oct 1999 19:43:31 GMT")

 

 

 

Please use plain text.
Developer
knight9
Posts: 84
Registered: ‎09-21-2008
My Device: Not Specified

Re: MDS Cache HTTP Basic Authentication

[ Edited ]

Thanks for the suggestion, I should have mentioned that we had tried this already as well. 

 

 Here are the headers we set on the authenticated request. the base64_crendentials can change from call to call, but the MDS server is always passing the first set of crendentials passed to the server, which is not quite the correct behavior.

 

c.setRequestProperty("If-Modified-Since", "29 Oct 1999 19:43:31 GMT");

c.setRequestProperty("Content-Type", "text/xml; charset=utf-8");

c.setRequestProperty("Accept-Encoding", "gzip");

c.setRequestProperty("User-Agent", "MyUserAgentHere");

c.setRequestProperty("Content-Language", "en-US");

c.setRequestProperty("Cache-Control", "no-store, no-cache, must-revalidate");

c.setRequestProperty("Authorization", base64_credentials);

 

 This actually has other security concerns as well, as if a user attempts to log out of our applications, next time some one logs in from that device, it could be using the original users credentials and allow access to data they should not be able to see.

 

There must be a way to invalidate the cached credentials on the MDS server... If there is not, we may have to re-architect a special authorization method just for BES users, which is an awful lot of overhead to work around NON-Standard behavior in a proxy.

 

I would have assumed that when the MDS server saw a NEW set of credentials for a domain it should update its cached version to the new credentials.  

Message Edited by knight9 on 02-07-2009 03:05 PM
Please use plain text.
Administrator
MSohm
Posts: 14,268
Registered: ‎07-09-2008
My Device: BlackBerry Z30, BlackBerry PlayBook
My Carrier: Bell

Re: MDS Cache HTTP Basic Authentication

You can control this setting on the BlackBerry Enterprise Server.  It can be disabled or you can adjust the timeout values for this cache.
Mark Sohm
BlackBerry Development Advisor

Please refrain from posting new questions in solved threads.
Problem solved? Click the Accept As Solution button.
Found a bug? Report it using Issue Tracker
Please use plain text.
Developer
knight9
Posts: 84
Registered: ‎09-21-2008
My Device: Not Specified

Re: MDS Cache HTTP Basic Authentication

[ Edited ]

Thanks, but we do not have control over our users BES servers, so that is not a viable option.

 

We have found that using an HTTPS connection seems to resolve this issue but it is rather annoying that we have to have the overhead on both client and server to use HTTPS connections.

 

The BES/MDS servers should obey cacheing headers in the HTTP requests. At a minimum it should realize that the credentials need to be updated when a new set is sent to it from the client and not blindly use old credentials.

 

Caching credentials like this also make it difficult on some sites (not many these days use Basic Auth, but some do) to have multiple accounts since you cant change your credentials.

 

 

 

 

Message Edited by knight9 on 02-13-2009 02:49 AM
Please use plain text.
Developer
zidane_143
Posts: 43
Registered: ‎08-26-2010
My Device: Not Specified

Re: MDS Cache HTTP Basic Authentication

Hi MSohm,

 

I am having the same problem with the Cache Credientials on MDS.  You mentioned the http cache can be controlled via the BES.  Where abouts are those settings?  and is it in a particular version of BES?

Please use plain text.