New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authorization for Downloads of restricted Bitstreams: Short lived token endpoint #2783
Authorization for Downloads of restricted Bitstreams: Short lived token endpoint #2783
Conversation
@KevinVdV I tried reviewing this PR, but the first thing I noticed is that my main authentication header is broken after creating a token. Can you create an IT which:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hi @KevinVdV thanks for the PR it looks good overall.
I have made some small change request inline, the "bigger" one is related to the use of the word "session" to discriminate between short lived tokens and "normal" one. I suggest to name it just loginToken but it would be useful to get a feedback from @tdonohue on that to avoid unnecessary change if he disagree with my suggestion or multiple changes if he has a better name suggestion.
dspace-server-webapp/src/main/java/org/dspace/app/rest/AuthenticationRestController.java
Outdated
Show resolved
Hide resolved
dspace-server-webapp/src/main/java/org/dspace/app/rest/model/AuthenticationTokenRest.java
Outdated
Show resolved
Hide resolved
...pp/src/main/java/org/dspace/app/rest/security/jwt/JWTTokenRestAuthenticationServiceImpl.java
Outdated
Show resolved
Hide resolved
...pp/src/main/java/org/dspace/app/rest/security/jwt/JWTTokenRestAuthenticationServiceImpl.java
Outdated
Show resolved
Hide resolved
dspace-server-webapp/src/test/java/org/dspace/app/rest/AuthenticationRestControllerIT.java
Show resolved
Hide resolved
dspace-server-webapp/src/test/java/org/dspace/app/rest/AuthenticationRestControllerIT.java
Show resolved
Hide resolved
- Don't update ePerson session salt when requesting a short lived token
- Add test that the ePerson session salt isn't updated when requesting a short lived token
…ization-for-Downloads-of-restricted-Bitstreams-1
- Add test that the ePerson session salt isn't updated when requesting a short lived token
@abollini @benbosman All your feedback has been processed, let me know if anything is still missing (or if you find new things). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have not reviewed this code yet, but I've extensively tested it, and this branch creates security risks.
Using a token it's possible to:
- Create another token (infinitely increasing the duration of the token by requesting a new one every second based on the previous token)
- Create another security header (creating a long-lived header based on a short-lived token)
I've tested this using:
token=$(curl --silent -X POST 'http://localhost:8080/server/api/authn/shortlivedtokens' -H "Authorization: $authorization2" | jq --raw-output '.token'); echo "$token"; curl -v "http://localhost:8080/server/api/authn/shortlivedtokens?token=$token" -X POST
token=$(curl --silent -X POST 'http://localhost:8080/server/api/authn/shortlivedtokens' -H "Authorization: $authorization2" | jq --raw-output '.token'); echo "$token"; curl -v "http://localhost:8080/server/api/authn/login?token=$token" -X POST
I would recommend to explicitly refuse /server/api/authn/login and /server/api/authn/shortlivedtokens to accept a token, and add ITs that verify it's not allowed (even with a valid token)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have flagged as resolved my previous feedback were processed. I agree with the @benbosman finding but I'm also ok to postpone this security improvements to beta4. Indeed, in the Rest Contract discussion we have not identified the need to prevent the use of short lived token for the renew endpoint.
dspace-server-webapp/src/test/java/org/dspace/app/rest/AuthenticationRestControllerIT.java
Show resolved
Hide resolved
dspace-server-webapp/src/test/java/org/dspace/app/rest/AuthenticationRestControllerIT.java
Show resolved
Hide resolved
I've reviewed the code, and it seems all issues have already been solved, including the last 2 @abollini noted and @jonas-atmire responded to. Since I prefer not to create new security risks, I'd prefer to have that issue solved first. But if not realistic, we can perhaps postpone and create a critical ticket |
@KevinVdV : would it be possible to resolve the security issues noted by Ben before merging this? I'd rather not merge something with a known security issue. Just an FYI, we are looking to release beta3 as soon as this Thursday. So if this PR (and others dependent on it) is going to be in beta3, ideally we'd get this PR ready to merge by tomorrow (if that's at all possible). |
- Short lived tokens can't be used to login, or generate other tokens
@peter-atmire : It looks like your most recent commit here causes some unexpected behavior in the EPerson endpoints (based on the Travis CI results). These tests are now throwing the wrong exception (a 403 instead of a 401) & therefore failing:
I suspect your change may be too low-level. Maybe we should be rejecting the |
@tdonohue Because the Travis impact didn't match that commit, I've checked it out in more detail. The problem seems to be in the REST Contract, and not in the commit.
|
…streams-1' into w2p-71672_Rename-token-parameter
- Rename url parameter "token" to "authentication-token"
- Fix checkstyle
@benbosman : Thanks for looking into this. I agree with your approach to simply rename one of these params. We don't want two different things named |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the changes
I can see https://github.com/DSpace/DSpace/pull/2783/files/f9257dad12c97d1aa3daaf9beca35bed76ba98b0..9044daf50eb1b4044b6b4d80ce12b32e0a399712 solves the overlap of the tokens
I can also see d364ac6 solves the security risk
I realize Travis is broken for all PRs today, but I've received the build output, and there are no issues
This has resolved all my feedback
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 This looks good to me. I've reviewed the code, and don't have any additional questions/comments. I've also verified that all of @abollini 's prior feedback was addressed (he had asked for more tests which have been added). I've tested this in conjunction with the Angular PR DSpace/dspace-angular#716 and they work together as described
Merging, as this is now at +2 and I've verified that all of @abollini 's prior feedback was addressed. Thanks @KevinVdV and @peter-atmire ! |
References
Add references/links to any related tickets or PRs. These may include:
Description
This PR adds support for short lived token generation. The JWTTokenHandler class used to generate our session tokens has been split up into 2 parts:
The difference being when that they have different configuration properties. If you have existing configuration that differs from the default ones you will need to look at the authentication.cfg file changes to see the new properties. Furthermore the "expiration" configuration property has been changed to use milliseconds instead of minutes.
Instructions for Reviewers
If you want to test this PR locally alter the jwt.shortLived.token.expiration in the local.cfg & put it to something like 30 seconds (as 2 seconds is very short if you want to test this).
To test this pr:
Checklist
This checklist provides a reminder of what we are going to look for when reviewing your PR. You need not complete this checklist prior to creating your PR (draft PRs are always welcome). If you are unsure about an item in the checklist, don't hesitate to ask. We're here to help!
pom.xml
), I've made sure their licenses align with the DSpace BSD License based on the Licensing of Contributions documentation.