Prohibit anonymous test execution using the REST API

[rjmartell]

Authenticate all agents that submit requests to execute a test suite using the REST API. Perhaps this can be done preemptively using the HTTP "basic" authentication scheme (see RFC 7235) over TLS (i.e. https).

[rjmartell]

The teamengine-realm component implements a custom Tomcat Realm for checking credentials from user files in ${TE_BASE}/users; it is configured in the web application Context (META-INF/context.xml).

[rjmartell]

The teamengine web app is configured to use form-based (login) authentication. It is not possible to declare multiple authentication mechanisms for a single web app in the standard deployment descriptor (web.xml).

[rjmartell]

Switching to the "Basic" authentication scheme (RFC 2617) over TLS/SSL would be one solution for protecting both the web resources and the test run controller (*/run) endpoints.

[rjmartell]

However, there is no simple log out mechanism when using the basic authn scheme because the browser will cache credentials and resend them in subsequent requests. There are ways to "trick" some browsers into discarding the credentials, but they are not universal and may not be worth it.

So if a user wanted to log in as another user, the cache must be deliberately cleared or the browser restarted.

[bermud]

@rjmartell, I'm fine with your solution. I don't see a big issue with the cache problems. We do want to make the REST API secure using the same user password that the user uses for login through the web interface.

[bermud]

@rjmartell. this issue is very important. Session logs also need to be created to keep consistency with the other running methods and also to be able to generate statistic appropriately. Has this been updated based on the latest authentication related fixes?

[dstenger]

@bermud
Should anonymous test execution via REST API be disabled?

The requirement to execute test runs with a registered user via REST API is also covered by 1. of #238.
This issue also includes authentication via Web Browser Interface.

[ghobona]

@dstenger Yes, let's disable anonymous test execution via REST API please. Users should be authenticated first, before running a test, even when using the REST API.

[dstenger]

@keshav-nangare
Can you please prototype an implementation (seperate branch) containing a proposed solution?
Please use basic auth as authentication mechanism.

[keshavnangare]

@dstenger @ghobona

Following are my findings:

• Current authenticate mechanism
  Web app - FORM-based

• Implementing a BASIC authentication mechanism for Web app + REST API

  1. Our existing Realm-based authentication mechanism used to validate the user's credentials.
  2. The browser will cache the credentials and it can be cleared after the browser gets restarted.
  3. The LogOut mechanism will not work due to browser cache.

• Proposed Solution

  1. Keep the Web app authentication as it is.
  2. Implement Basic authentication for REST API.
     1. Add a new filter which will be used for URL's having pattern as /rest/*.
     2. If the user does not send credentials in the header, it will prompt asking for credentials. If credentials send via header validation will be done with the existing Realm-based authentication mechanism and if validation failed again prompts get opened.
     3. Valid users can access REST API until the browser gets restarted without asking for credentials as the browser will send the cached valid credentials with every request.

[ghobona]

Related to #397

[keshavnangare]

Fixed with #433 PR.

[dstenger]

TODO: Update documentation.