Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

auth/status may not work as expected going forward #247

Open
lukas-vlcek opened this issue Jul 1, 2015 · 1 comment
Open

auth/status may not work as expected going forward #247

lukas-vlcek opened this issue Jul 1, 2015 · 1 comment
Labels
bug security

Comments

@lukas-vlcek
Copy link
Member

The idea behind the auth/status endpoint was to enable integration with SSO server. However, it seem that CORS implementation changed a bit in browsers since then. The problem seem to be that CORS requires clients to setup Origin value to null when doing redirects (302).

Similar situation is described here: https://code.google.com/p/chromium/issues/detail?id=154967

There might be relevant test case here: https://w3c-test.org/cors/redirect-origin.htm

Demo

Let's use the following test web page (sso-test.html):

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
    <title>SSO test</title>
    <script type="text/javascript" src="http://code.jquery.com/jquery-2.1.1.min.js"></script>
  </head>
  <body>
      <script type="text/javascript">
        $( document ).ready(function() {
          $.ajax({
            type: "GET",
            url: 'http://<host-A>/v2/rest/auth/status?roles=a',
            crossDomain: true,
            xhrFields:  { withCredentials: true },
            success: function(results) {
              console.log(results);
            }
          });
        });
      </script>
  <body>
</html>

Test 1

Use case where user is not authorized via SSO is as follows:

  1. User access auth/status

Request:

GET /v2/rest/auth/status?roles=a HTTP/1.1
Host: <host-A>:8080
Connection: keep-alive
Cache-Control: max-age=0
Accept: */*
Origin: http://<host-A>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36
Referer: http://<host-A>/~rysiek/stats.jboss.org/sso-test.html
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8,cs;q=0.6
Cookie: JSESSIONID=l13TvFVX1QVhuNxZeZxHYaq6

Response:

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 01:00:00 CET
Access-Control-Allow-Origin: http://<host-A>
Access-Control-Allow-Credentials: true
Set-Cookie: JSESSIONID=embUaBfbQVwq9Mpito06iS4N; Path=/
Location: https://sso-dev.jboss.org/login?service=http%3A%2F%2F<host-A>%3A8080%2Fv2%2Frest%2Fauth%2Fstatus%3Froles%3Da&gateway=true
Content-Length: 0
Date: Wed, 01 Jul 2015 15:15:37 GMT
  1. Browser is redirected to: https://sso-dev.jboss.org/login?service=http%3A%2F%2F<host-A>%3A8080%2Fv2%2Frest%2Fauth%2Fstatus%3Froles%3Da&gateway=true

Request (note Origin is set to null):

GET /login?service=http%3A%2F%2F<host-A>%3A8080%2Fv2%2Frest%2Fauth%2Fstatus%3Froles%3Da&gateway=true HTTP/1.1
Host: sso-dev.jboss.org
Connection: keep-alive
Accept: */*
Origin: null
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36
Referer: http://<host-A>/~rysiek/stats.jboss.org/sso-test.html
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8,cs;q=0.6
Cookie: [... bunch of cookies here ...]

Response:

HTTP/1.1 302 Moved Temporarily
Date: Wed, 01 Jul 2015 15:15:37 GMT
Access-Control-Allow-Origin: null
Access-Control-Allow-Credentials: true
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Location: http://<host-A>:8080/v2/rest/auth/status?roles=a
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8
  1. Browser redirected to: http://<host-A>:8080/v2/rest/auth/status?roles=a

Request:

GET /v2/rest/auth/status?roles=a HTTP/1.1
Host: <host-A>:8080
Connection: keep-alive
Accept: */*
Origin: null
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36
Referer: http://<host-A>/~rysiek/stats.jboss.org/sso-test.html
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8,cs;q=0.6
Cookie: JSESSIONID=embUaBfbQVwq9Mpito06iS4N

Response:

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 01:00:00 CET
Access-Control-Allow-Origin: null
Content-Type: application/json
Transfer-Encoding: chunked
Date: Wed, 01 Jul 2015 15:15:37 GMT

Getting error here:

XMLHttpRequest cannot load http://<host-A>:8080/v2/rest/auth/status?roles=a. Credentials flag is 'true', but the 'Access-Control-Allow-Credentials' header is ''. It must be 'true' to allow credentials.

Test 2

Interestingly, the use case where user login to SSO works to some extend. Specifically, the security token is probably created correctly on the Searchisko side but handling of auth/status request flow ends with CORS error anyway on the browser side.

  1. User login into SSO
  2. User access auth/status

Request:

GET /v2/rest/auth/status?roles=a HTTP/1.1
Host: <host-A>:8080
Connection: keep-alive
Cache-Control: max-age=0
Accept: */*
Origin: http://78.11.174.64
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36
Referer: http://<host-A>/sso-test.html
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8,cs;q=0.6
Cookie: JSESSIONID=l13TvFVX1QVhuNxZeZxHYaq6

Response:

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 01:00:00 CET
Access-Control-Allow-Origin: http://<host-A>
Access-Control-Allow-Credentials: true
Location: https://sso-dev.jboss.org/login?service=http%3A%2F%2F<host-A>%3A8080%2Fv2%2Frest%2Fauth%2Fstatus%3Froles%3Da&gateway=true
Content-Length: 0
Date: Wed, 01 Jul 2015 14:46:07 GMT
  1. Browser is redirected to https://sso-dev.jboss.org/login?service=http%3A%2F%2F<host-A>%3A8080%2Fv2%2Frest%2Fauth%2Fstatus%3Froles%3Da&gateway=true

Request (note Origin is set to null):

GET /login?service=http%3A%2F%2F<host-A>%3A8080%2Fv2%2Frest%2Fauth%2Fstatus%3Froles%3Da&gateway=true HTTP/1.1
Host: sso-dev.jboss.org
Connection: keep-alive
Accept: */*
Origin: null
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36
Referer: http://78.11.174.64/~rysiek/stats.jboss.org/sso-test.html
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8,cs;q=0.6
Cookie: [... bunch of cookies here ...]

Response:

HTTP/1.1 302 Moved Temporarily
Date: Wed, 01 Jul 2015 14:46:07 GMT
Access-Control-Allow-Origin: null
Access-Control-Allow-Credentials: true
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Location: http://<host-A>:8080/v2/rest/auth/status?roles=a&ticket=ST-634-HKcLnzZM0ltBVHJVbG2S-jboss-org-sso
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8
  1. Browser is redirected to: http://<host-A>:8080/v2/rest/auth/status?roles=a&ticket=ST-634-HKcLnzZM0ltBVHJVbG2S-jboss-org-sso

Request:

GET /v2/rest/auth/status?roles=a&ticket=ST-634-HKcLnzZM0ltBVHJVbG2S-jboss-org-sso HTTP/1.1
Host: <host-A>:8080
Connection: keep-alive
Accept: */*
Origin: null
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36
Referer: http://<host-A>/~rysiek/stats.jboss.org/sso-test.html
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8,cs;q=0.6
Cookie: JSESSIONID=l13TvFVX1QVhuNxZeZxHYaq6

Response:

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 01:00:00 CET
Access-Control-Allow-Origin: null
Location: http://<host-A>:8080/v2/rest/auth/status?roles=a
Content-Length: 0
Date: Wed, 01 Jul 2015 14:46:07 GMT

Getting error here:

XMLHttpRequest cannot load http://<host-A>:8080/v2/rest/auth/status?roles=a&ticket=ST-634-HKcLnzZM0ltBVHJVbG2S-jboss-org-sso. Credentials flag is 'true', but the 'Access-Control-Allow-Credentials' header is ''. It must be 'true' to allow credentials.

Conclusion

We probably need to rethink/redesign SSO integration.
@lkrzyzanek
Copy link
Member

Here is discussion about this design: https://code.google.com/p/chromium/issues/detail?id=154967

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lukas-vlcek @lkrzyzanek