Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Request for enforced HTTP authentication (popup) #518

Closed
gitblit opened this issue Aug 12, 2015 · 8 comments
Closed

Request for enforced HTTP authentication (popup) #518

gitblit opened this issue Aug 12, 2015 · 8 comments

Comments

@gitblit
Copy link
Collaborator

gitblit commented Aug 12, 2015

Originally reported on Google Code with ID 222

>> What steps will reproduce the problem?
1. In gitblit.properties, set the web.authenticateViewPages to true
2. Point your browser at https://gitblit.<mydomain>
3. Now there is an HTML page requesting me to log in first... but I see that it has
GitBlit version 1.2.1 running; this gives an attacker its first information

>> What is the expected output? What do you see instead?
I want only a popup requesting me for my username/password, before showing anything.
That is, it should respond with a code 401 header and request for (basic) authentication:

HTTP/1.1 401 Access Denied
WWW-Authenticate: Basic realm="My Server"
Content-Length: 0

>> What version of the product are you using? On what operating system?
GitBlit 1.2.1

The absence of this feature is a deal-breaker to have it integrated in our IT environment,
as it does not meet our safety standards.

Reported by laurensvrijnsen on 2013-03-18 09:52:36

@gitblit
Copy link
Collaborator Author

gitblit commented Aug 12, 2015

I'll give it some thought.

Reported by James.Moger on 2013-03-18 12:09:20

@gitblit
Copy link
Collaborator Author

gitblit commented Aug 12, 2015

Hi James,

I (and my colleagues) am quite willing do some coding, so if you could give
me a pointer? I already found the authentication check in GitBlitServer,
and the check of it in UserPage... is that where I should add the following:


if (not authenticated) {
    if (force_auth) {
        send_header_requesting_auth(); // through wicket?
    } else {
        show_page_to_login();
    }
} else {
    // ...
}

I'll create a fork to address this issue then. Best wishes,

- Laurens.

Reported by laurensvrijnsen on 2013-03-18 19:59:10

@gitblit
Copy link
Collaborator Author

gitblit commented Aug 12, 2015

Are you using GO or WAR?

Reported by James.Moger on 2013-03-19 15:52:55

@gitblit
Copy link
Collaborator Author

gitblit commented Aug 12, 2015

HI James,

I am using the GO version. Meanwhile, I found the requested functionality
in the AccessRestrictionFilter::doFilter(...), which is invoked when I go
to https://<myGitblitURL>/git

- Laurens.

Reported by laurensvrijnsen on 2013-03-20 08:34:40

@gitblit
Copy link
Collaborator Author

gitblit commented Aug 12, 2015

Right.  You want BASIC authentication on the site, while the site currently only does
form-based authentication.

It's not hard to implement basic authentication.  There are two places to do it.  The
traditional place is directly in the web.xml file and you let the servlet container
(Tomcat, Jetty) handle the authentication.  This is not how Gitblit works.  Gitblit
handle's it's own authentication to eliminate servlet container configuration.

The plan...
You have identified the AccessRestrictionFilter which is used to protect Git access.
 You actually want to subclass AuthenticationFilter, it's parent.  You will have to
modify the last filter defined in the WEB-INF/web.xml file: wicketFilter.  Your AuthenticationFilter
subclass will be the first filter executed, not wicketFilter, and assuming you authenticate,
it should chain to the wicketFilter.  I don't remember the exact syntax for doing this,
but overall it should not be too difficult.

Reported by James.Moger on 2013-03-20 12:16:18

@gitblit
Copy link
Collaborator Author

gitblit commented Aug 12, 2015

James,

I filed a Pull request for the fork created (at https://github.com/Furinzen/gitblit.git).
Thanks for the assistance!

- Laurens.

Reported by laurensenmiriam on 2013-03-22 14:34:38

@gitblit
Copy link
Collaborator Author

gitblit commented Aug 12, 2015

Reported by James.Moger on 2013-03-26 21:01:57

  • Status changed: Queued
  • Labels added: Milestone-1.3.0

@gitblit
Copy link
Collaborator Author

gitblit commented Aug 12, 2015

Fix or enhancement released in v1.3.0

Reported by James.Moger on 2013-07-14 16:52:58

  • Status changed: Fixed

@gitblit gitblit closed this as completed Aug 12, 2015
@flaix flaix modified the milestone: 1.3.0 Dec 13, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants