New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prohibit anonymous test execution using the REST API #66
Comments
The teamengine-realm component implements a custom Tomcat Realm for checking credentials from user files in ${TE_BASE}/users; it is configured in the web application Context (META-INF/context.xml). |
The teamengine web app is configured to use form-based (login) authentication. It is not possible to declare multiple authentication mechanisms for a single web app in the standard deployment descriptor (web.xml). |
Switching to the "Basic" authentication scheme (RFC 2617) over TLS/SSL would be one solution for protecting both the web resources and the test run controller (*/run) endpoints. |
However, there is no simple log out mechanism when using the basic authn scheme because the browser will cache credentials and resend them in subsequent requests. There are ways to "trick" some browsers into discarding the credentials, but they are not universal and may not be worth it. So if a user wanted to log in as another user, the cache must be deliberately cleared or the browser restarted. |
@rjmartell, I'm fine with your solution. I don't see a big issue with the cache problems. We do want to make the REST API secure using the same user password that the user uses for login through the web interface. |
@rjmartell. this issue is very important. Session logs also need to be created to keep consistency with the other running methods and also to be able to generate statistic appropriately. Has this been updated based on the latest authentication related fixes? |
@dstenger Yes, let's disable anonymous test execution via REST API please. Users should be authenticated first, before running a test, even when using the REST API. |
@keshav-nangare |
Following are my findings:
|
Related to #397 |
Fixed with #433 PR. |
TODO: Update documentation. |
Authenticate all agents that submit requests to execute a test suite using the REST API. Perhaps this can be done preemptively using the HTTP "basic" authentication scheme (see RFC 7235) over TLS (i.e.
https
).The text was updated successfully, but these errors were encountered: