Alon Bar-Lev has posted comments on this change. Change subject: aaa : Add engine sso ......................................................................
Patch Set 59: (2 comments) https://gerrit.ovirt.org/#/c/36119/59/backend/manager/modules/enginesso/src/main/java/org/ovirt/engine/core/sso/servlets/SSOServiceInteractiveServlet.java File backend/manager/modules/enginesso/src/main/java/org/ovirt/engine/core/sso/servlets/SSOServiceInteractiveServlet.java: Line 49: setRequestId(request, response); Line 50: } Line 51: public String getName() { Line 52: return "request-id"; Line 53: } > We also need it for Welcome page to extract the current user who is logged better you comment the document so we can plan first... this won't be secure... as every site can obtain sso token this way. maybe the login is insecure as well... damn... if you already login then you obtain the sso token based on your request id. local solution for welcome is to obtain the user entity / name. but we have more severe issue. back to drawing board. we may need the batch channel to be authenticated to avoid leak of sso tokens to untrusted parties. Line 54: }, Line 55: Switch() { Line 56: public void execute(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { Line 57: switchUser(request, response); Line 116: } Line 117: Line 118: private static void login(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { Line 119: log.debug("Entered login queryString: {}", request.getQueryString()); Line 120: if (StringUtils.isEmpty(request.getParameter(SSOUtils.POST_COMMAND_URL))) { > I thought error url was optional, are we enforcing error url to be mandator optional - yes, but we should get it and default to config, no? Line 121: throw new RuntimeException("No post command url found in request."); Line 122: } Line 123: Line 124: if (!request.getParameterMap().isEmpty()) { -- To view, visit https://gerrit.ovirt.org/36119 To unsubscribe, visit https://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: I4894fc12653027271b6abd4dd5313b10593703fa Gerrit-PatchSet: 59 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Ravi Nori <rn...@redhat.com> Gerrit-Reviewer: Alon Bar-Lev <alo...@redhat.com> Gerrit-Reviewer: Jenkins CI Gerrit-Reviewer: Oved Ourfali <oourf...@redhat.com> Gerrit-Reviewer: Ravi Nori <rn...@redhat.com> Gerrit-Reviewer: automat...@ovirt.org Gerrit-HasComments: Yes _______________________________________________ Engine-patches mailing list Engine-patches@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-patches
