Fixed: Security issue in Token Based Authentication
(OFBIZ-10206)
The version I committed so far in OFBIZ-9833 has a small security issue.
See the Jira description for all details
To test I have attached a OFBIZ-10206-external-server-test-example.patch to
the Jira
This removes the external-server-query property now useless
In ContextFilter the getHeader (wrapper) now uses an autoLoginCookie to get
the userLoginId passed in the JWT instead of externalServerUserLogin parameter.
A sourceServerWebappName parameter must be passed from the client request to
allow reading the autoLoginCookie.
This userLoginId is then retrieved on the target server from the JWT in the
externalServerLoginCheck which is simplified.
In LoginWorker
getAutoLoginCookieName() has now 2 versions to allow to pass a webappname
A new autoLogoutFromAllBackendSessions() method has been added but for now
commented out. Decommenting it out will be submitted as a patch in OFBIZ-4959.
Thanks: Leila Mekika for reporting the security issue directly to me
|