curl + jsecurity authentication

Question

I have a grails app that is using jsecurity plugin for authentication.

How do I use curl to send my credentials? If I just do curl -u username mysite

I get a prompt for a password, then nothing.

I tried to do an anyauth command and this is what I got for the site. Any idea why it is returning a 302?

dcole@DCOLE-L /cygdrive/c/dev
$ curl --anyauth --verbose http://localhost:8080/SkillsDB
* About to connect() to localhost port 8080 (#0)
*   Trying ::1... connected   
* Connected to localhost (::1) port 8080 (#0)
> GET /SkillsDB HTTP/1.1
> User-Agent: curl/7.20.1 (i686-pc-cygwin) libcurl/7.20.1 OpenSSL/0.9.8o zlib/1.
2.5 libidn/1.18 libssh2/1.2.5
> Host: localhost:8080
> Accept: */*
>
< HTTP/1.1 302 Moved Temporarily
< Server: Apache-Coyote/1.1
< Location: http://localhost:8080/SkillsDB/
< Transfer-Encoding: chunked
< Date: Thu, 07 Oct 2010 14:32:32 GMT
<
* Connection #0 to host localhost left intact
* Closing connection #0

here is additional information:

Rob is correct that it is form based. When I go to the address

 http://localhost:8080/SkillsDB/auth/initialLogin

This is the form code that is displayed:

<form action="/SkillsDB/auth/initialSignIn" method="post" name="logform" id="logform">
<input name="targetUri" value="" type="hidden">
<input value="" widgetid="username" tabindex="0" id="username" class="dijit dijitReset dijitLeft dijitTextBox" dojoattachpoint="textbox,focusNode" name="username" dojoattachevent="onmouseenter:_onMouse,onmouseleave:_onMouse,onfocus:_onMouse,onblur:_onMouse,onkeypress:_onKeyPress" autocomplete="off" type="text"></td>
<input value="" widgetid="password" tabindex="0" id="password" class="dijit dijitReset dijitLeft dijitTextBox" dojoattachpoint="textbox,focusNode" name="password" dojoattachevent="onmouseenter:_onMouse,onmouseleave:_onMouse,onfocus:_onMouse,onblur:_onMouse,onkeypress:_onKeyPress" autocomplete="off" type="password"></td>
<td style=""><span widgetid="dijit_form_Button_0" class="dijit dijitReset dijitLeft dijitInline dijitButton" dojoattachevent="ondijitclick:_onButtonClick,onmouseenter:_onMouse,onmouseleave:_onMouse,onmousedown:_onMouse"><span class="dijitReset dijitRight dijitInline"><span class="dijitReset dijitInline dijitButtonNode"><button style="-moz-user-select: none;" tabindex="0" value="Log In" id="dijit_form_Button_0" aria-labelledby="dijit_form_Button_0_label" role="button" class="dijitReset dijitStretch dijitButtonContents" dojoattachpoint="titleNode,focusNode" name="" type="submit" wairole="button" waistate="labelledby-dijit_form_Button_0_label"><span class="dijitReset dijitInline" dojoattachpoint="iconNode"><span class="dijitReset dijitToggleButtonIconChar">✓</span></span><span class="dijitReset dijitInline dijitButtonText" id="dijit_form_Button_0_label" dojoattachpoint="containerNode">Log In</span></button></span></span></span></td>
  </form>

Answer 1

If you're using a form-based authentication method, it's likely you're going to have to make an HTTP POST request to your login form, something along the lines of:

curl --data="username=foo&password=bar" http://localhost:8080/SkillsDB/login/auth
# note that '--data' causes the request to be a POST

I can't remember what JSecurity's login action is, but you'll have to replace login/auth (in the curl command above) with it. Have a look at the action of the <form> that the login page submits to.

Note that you'll be passing the password as plain text here. You'll probably want to use HTTPS for this transaction, but that's a whole different question.

Unless JSecurity is extending its authentication to use HTTP Basic Authentication, using the --anyauth is not likely to work, as I would imagine curl uses that to determine the proper HTTP authentication method.

Regarding your question about the 302, what happens when you add --location to your curl arguments? That should make curl follow the Location header that comes back in the response.