Michael Pasternak has uploaded a new change for review. Change subject: restapi: potential abuse of api session authentication mechanism #1007444 ......................................................................
restapi: potential abuse of api session authentication mechanism #1007444 Change-Id: Ib85c38dea961b252853bcae48912aa40a4ff7e77 Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=1007444 Signed-off-by: Michael pasternak <mpast...@redhat.com> --- M backend/manager/modules/restapi/interface/common/jaxrs/src/main/java/org/ovirt/engine/api/common/security/auth/Challenger.java 1 file changed, 6 insertions(+), 4 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/44/19244/1 diff --git a/backend/manager/modules/restapi/interface/common/jaxrs/src/main/java/org/ovirt/engine/api/common/security/auth/Challenger.java b/backend/manager/modules/restapi/interface/common/jaxrs/src/main/java/org/ovirt/engine/api/common/security/auth/Challenger.java index 011c315..119ef03 100644 --- a/backend/manager/modules/restapi/interface/common/jaxrs/src/main/java/org/ovirt/engine/api/common/security/auth/Challenger.java +++ b/backend/manager/modules/restapi/interface/common/jaxrs/src/main/java/org/ovirt/engine/api/common/security/auth/Challenger.java @@ -92,7 +92,6 @@ boolean successful = false; HttpHeaders headers = request.getHttpHeaders(); boolean preferPersistentAuth = checkPersistentAuthentication(headers); - boolean hasAuthorizationHeader = checkAuthorizationHeader(headers); Integer customHttpSessionTtl = getCustomHttpSessionTtl(headers); // Get the current session @@ -100,14 +99,17 @@ // is successful httpSession = getCurrentSession(false); - // If the session isn't new and doesn't carry authorization header, we validate it - if (validator != null && httpSession != null && !hasAuthorizationHeader) { + // If preferPersistentAuth and the session is alive we validate it + // (regardless of authorization-header existence) + if (validator != null && preferPersistentAuth && httpSession != null) { successful = executeSessionValidation(httpSession, preferPersistentAuth); } else { // If the session isn't new but carries authorization header, we invalidate it first if (validator != null && httpSession != null) { httpSession.invalidate(); - httpSession = getCurrentSession(true); + if (preferPersistentAuth) { + httpSession = getCurrentSession(true); + } } // Authenticate the session -- To view, visit http://gerrit.ovirt.org/19244 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ib85c38dea961b252853bcae48912aa40a4ff7e77 Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Michael Pasternak <mpast...@redhat.com> _______________________________________________ Engine-patches mailing list Engine-patches@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-patches
