Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Authentication Bypass For Endpoints With Anonymous Access
Using a remember-me cookie with an arbitrary username can cause Opencast to assume proper authentication for that user even if the remember-me cookie was incorrect given that the attacked endpoint also allows anonymous access. This way, an attacker can, for example, fake a remember-me token, assume the identity of the global system administrator and request non-public content from the search service without ever providing any proper authentication. The reason for this problem is that using a remember-me cookie will always cause the user in the request context to be populated, even if the cookie is invalid by now. This is usually no problem, except in combination with anonymous access where anonymous authentication is granted and the request may continue. In such a case, Opencast's security service would just check that a user existed in the request context and assume proper authentication of this user, never checking if it's actually anonymous authentication. This patch adds this additional check, falling back to the anonymous user in case of anonymous authentication.
- Loading branch information