New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security] anonymous access to configs possible through Direct object reference #150
Comments
I confirm the issue, doing a |
I am going to try vanilla spring boot, see if this issue exists. I do find
it hard to believe they would overlook such a thing.
…On Mon, Jun 19, 2017 at 8:49 PM, Pierre Besson ***@***.***> wrote:
I confirm the issue, doing a curl http://localhost:8761/config/
master/application-prod.yml let's you get the configuration even though
we are not authenticated.
This is strange, even though we do everything explained here about basic
auth: https://cloud.spring.io/spring-cloud-config/spring-
cloud-config.html#_security and /config/** is covered by our spring
security config.
ping @jdubois <https://github.com/jdubois>
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#150 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAvFHOp_SVXmTqOv6OL9CyNuRoa-ECl5ks5sFm5qgaJpZM4N-FZJ>
.
|
I confirm the issue, and I see why and it's really awful |
So this is because of line https://github.com/jhipster/jhipster-registry/blob/v3.0.1/src/main/java/io/github/jhipster/registry/config/SecurityConfiguration.java#L61 I think this was done because of refresh issues with the new UI, ping @JulienMrgrd
|
And thanks a lot @abshkd !!!! |
@jdubois Yes, I saw that line too but my confidence is limited to point to
any code, sorry for that. I really appreciate the prompt response on this.
thank you!
…On Mon, Jun 19, 2017 at 9:59 PM, Julien Dubois ***@***.***> wrote:
And thanks a lot @abshkd <https://github.com/abshkd> !!!!
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#150 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAvFHAWlwtQJLJ9YAQnBqM4w-aalok5Sks5sFn65gaJpZM4N-FZJ>
.
|
I'm doing some tests before doing a release, should be out soon. |
Is this resolved with tests? thanks |
@abshkd : it should be resolved in this last release. Can you try and confirm ? |
Yes. i can confirm. I am given a 404 error even if pre-authenticated. Which is as expected. Only way to access is to authenticate at request time. perfect! thanks. |
After adding the
password
field to bootstrap.yml we are still able to access the configuration directly via the config path.for e.g.
/config/APPNAME/PROFILE/LABEL
allows access to the configuration even though on the portal we are not logged in.The text was updated successfully, but these errors were encountered: