XrdHttpExtReq should expose protocol used

[bbockelm]

In my external handler, I want to refuse certain actions unless they were done via HTTPS.

However, there's no way to determine whether the current request came in via HTTP or HTTPS. Can we add this as a field to the request?

[xrootd-dev]

Hi Brian, uhm, can't you check the DN ? f

…

On 12.11.17 10:38, Brian Bockelman wrote: In my external handler, I want to refuse certain actions unless they were done via HTTPS. However, there's no way to determine whether the current request came in via HTTP or HTTPS. Can we add this as a field to the request? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#619>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AD7Yjm5I6nwPsFo_u-CrAActXyRWu4Urks5s1rypgaJpZM4Qa0X3>. ------------------------------------------------------------------------ Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1

[bbockelm]

It's not a safe assumption that any DN is present, especially as we start to transition away from client certificates...

[ffurano]

Ok. Would it be fine for you to use SecEntity.prot and check for "http" or "https" into it ?

Please be aware that one can always use the self-redirection https->http

[bbockelm]

Yes, filling in SecEntity sounds like a very good idea.

I'm doing this to avoid:

• Using bearer tokens when working over HTTP (inherently insecure due to trivial MITM issues, particularly if we want to do this with write-based workflows).
• Avoid inadvertent "downgrades" from HTTPS to HTTP.