[Security] anonymous access to configs possible through Direct object reference #150
Comments
|
I confirm the issue, doing a |
|
I am going to try vanilla spring boot, see if this issue exists. I do find
it hard to believe they would overlook such a thing.
…On Mon, Jun 19, 2017 at 8:49 PM, Pierre Besson ***@***.***> wrote:
I confirm the issue, doing a curl http://localhost:8761/config/
master/application-prod.yml let's you get the configuration even though
we are not authenticated.
This is strange, even though we do everything explained here about basic
auth: https://cloud.spring.io/spring-cloud-config/spring-
cloud-config.html#_security and /config/** is covered by our spring
security config.
ping @jdubois <https://github.com/jdubois>
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#150 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAvFHOp_SVXmTqOv6OL9CyNuRoa-ECl5ks5sFm5qgaJpZM4N-FZJ>
.
|
|
I confirm the issue, and I see why and it's really awful |
|
So this is because of line https://github.com/jhipster/jhipster-registry/blob/v3.0.1/src/main/java/io/github/jhipster/registry/config/SecurityConfiguration.java#L61 I think this was done because of refresh issues with the new UI, ping @JulienMrgrd
|
|
And thanks a lot @abshkd !!!! |
|
@jdubois Yes, I saw that line too but my confidence is limited to point to
any code, sorry for that. I really appreciate the prompt response on this.
thank you!
…On Mon, Jun 19, 2017 at 9:59 PM, Julien Dubois ***@***.***> wrote:
And thanks a lot @abshkd <https://github.com/abshkd> !!!!
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#150 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAvFHAWlwtQJLJ9YAQnBqM4w-aalok5Sks5sFn65gaJpZM4N-FZJ>
.
|
|
I'm doing some tests before doing a release, should be out soon. |
|
Is this resolved with tests? thanks |
|
@abshkd : it should be resolved in this last release. Can you try and confirm ? |
|
Yes. i can confirm. I am given a 404 error even if pre-authenticated. Which is as expected. Only way to access is to authenticate at request time. perfect! thanks. |
After adding the
passwordfield to bootstrap.yml we are still able to access the configuration directly via the config path.for e.g.
/config/APPNAME/PROFILE/LABELallows access to the configuration even though on the portal we are not logged in.The text was updated successfully, but these errors were encountered: