Michael Pasternak has uploaded a new change for review. Change subject: restapi: potential abuse of api session authentication mechanism #1007444 ......................................................................
restapi: potential abuse of api session authentication mechanism #1007444 Change-Id: Ib85c38dea961b252853bcae48912aa40a4ff7e77 Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=1007444 Signed-off-by: Michael pasternak <mpast...@redhat.com> --- M backend/manager/modules/restapi/interface/common/jaxrs/src/main/java/org/ovirt/engine/api/common/security/auth/Challenger.java 1 file changed, 6 insertions(+), 4 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/45/19245/1 diff --git a/backend/manager/modules/restapi/interface/common/jaxrs/src/main/java/org/ovirt/engine/api/common/security/auth/Challenger.java b/backend/manager/modules/restapi/interface/common/jaxrs/src/main/java/org/ovirt/engine/api/common/security/auth/Challenger.java index e00909b..f8345ff 100644 --- a/backend/manager/modules/restapi/interface/common/jaxrs/src/main/java/org/ovirt/engine/api/common/security/auth/Challenger.java +++ b/backend/manager/modules/restapi/interface/common/jaxrs/src/main/java/org/ovirt/engine/api/common/security/auth/Challenger.java @@ -89,7 +89,6 @@ boolean successful = false; HttpHeaders headers = request.getHttpHeaders(); boolean preferPersistentAuth = checkPersistentAuthentication(headers); - boolean hasAuthorizationHeader = checkAuthorizationHeader(headers); Integer customHttpSessionTtl = getCustomHttpSessionTtl(headers); // Get the current session @@ -97,14 +96,17 @@ // is successful httpSession = getCurrentSession(false); - // If the session isn't new and doesn't carry authorization header, we validate it - if (validator != null && httpSession != null && !hasAuthorizationHeader) { + // If preferPersistentAuth and the session is alive we validate it + // (regardless of authorization-header existence) + if (validator != null && preferPersistentAuth && httpSession != null) { successful = executeSessionValidation(httpSession, preferPersistentAuth); } else { // If the session isn't new but carries authorization header, we invalidate it first if (validator != null && httpSession != null) { httpSession.invalidate(); - httpSession = getCurrentSession(true); + if (preferPersistentAuth) { + httpSession = getCurrentSession(true); + } } // Authenticate the session -- To view, visit http://gerrit.ovirt.org/19245 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ib85c38dea961b252853bcae48912aa40a4ff7e77 Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: ovirt-engine-3.3.0 Gerrit-Owner: Michael Pasternak <mpast...@redhat.com> _______________________________________________ Engine-patches mailing list Engine-patches@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-patches
