Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Authorization Header is ignored when cookie is present

Description

  1. Used netconf-5.0.3 that ships aaa (0.17.6) release.

  2. Issued a get to netconf-toplogy as follows

   

curl -v --location 'http://172.17.0.2:8181/rests/data/network-topology:network-topology/topology=topology-netconf'   --user 'admin:admin' *   Trying 172.17.0.2... * TCP_NODELAY set * Connected to 172.17.0.2 (172.17.0.2) port 8181 (#0) * Server auth using Basic with user 'admin' > GET /rests/data/network-topology:network-topology/topology=topology-netconf HTTP/1.1 > Host: 172.17.0.2:8181 > Authorization: Basic YWRtaW46YWRtaW4= > User-Agent: curl/7.58.0 > Accept: */* >  < HTTP/1.1 200 OK < Set-Cookie: JSESSIONID=node018vko67sr5ocytgqohuqzb11z0.node0; Path=/rests; HttpOnly < Expires: Thu, 01 Jan 1970 00:00:00 GMT < Set-Cookie: rememberMe=deleteMe; Path=/rests; Max-Age=0; Expires=Mon, 20-Mar-2023 04:55:46 GMT; SameSite=lax < ETag: "2013-10-21-topology" < Last-Modified: 2023-Mar-21 04:55:46 < Content-Type: application/yang-data+json < Content-Length: 66 <  * Connection #0 to host 172.17.0.2 left intact {"network-topology:topology":[{"topology-id":"topology-netconf"}]}

 

3. In the following request, used the same sesion cookie with wrong username/pass.

curl -v --location 'http://172.17.0.2:8181/rests/data/network-topology:network-topology/topology=topology-netconf'  --header 'Cookie: JSESSIONID=node018vko67sr5ocytgqohuqzb11z0.node0' --user 'admin23:56789' *   Trying 172.17.0.2... * TCP_NODELAY set * Connected to 172.17.0.2 (172.17.0.2) port 8181 (#0) * Server auth using Basic with user 'admin23' > GET /rests/data/network-topology:network-topology/topology=topology-netconf HTTP/1.1 > Host: 172.17.0.2:8181 > Authorization: Basic YWRtaW4yMzo1Njc4OQ== > User-Agent: curl/7.58.0 > Accept: */* > Cookie: JSESSIONID=node018vko67sr5ocytgqohuqzb11z0.node0 >  < HTTP/1.1 200 OK < ETag: "2013-10-21-topology" < Last-Modified: 2023-Mar-21 05:06:10 < Content-Type: application/yang-data+json < Content-Length: 66 <  * Connection #0 to host 172.17.0.2 left intact {"network-topology:topology":[{"topology-id":"topology-netconf"}]}

 

The GET response was returned. The authorization information was ignored. 

 

The same issue occurs in earlier versions of AAA also.

 

 

 

Environment

None

Activity

Show:

Venkatrangan Govindarajan March 28, 2023 at 6:58 AM

 

 

There is definitely a regression here..

Test with NEtconf-4.0.2 (aaa-0.16.3)

first success!!

curl --location 'http://172.17.0.2:8181/rests/data/network-topology:network-topology/topology=topology-netconf' \--header 'Authorization: Basic YWRtaW46YWRtaW4=' \--header 'Cookie: JSESSIONID=node0scnxu4aqszbihc9p3ez72zlb3.id.node0'

 

Used the same cookie and modified the authorization header....

curl --location 'http://172.17.0.2:8181/rests/data/network-topology:network-topology/topology=topology-netconf' \--header 'Authorization: Basic YWRtaW44ODphZG1pbg==' \--header 'Cookie: JSESSIONID=node0scnxu4aqszbihc9p3ez72zlb3.id.node0'

 Buteven this behavior is not consistent, when the requst is repeated, the wrong authorization header is sometimes allowed!!

 

 

Test with netconf-5.0.4 (aaa-0.17.7)

 

Success trial

curl --location 'http://172.17.0.2:8181/rests/data/network-topology:network-topology/topology=topology-netconf' \--header 'Authorization: Basic YWRtaW46YWRtaW4=' \--header 'Cookie: JSESSIONID=node0lprudepcks8ck1w4nv5uiqlm0.node0'

Changed authorization header,

curl --location 'http://172.17.0.2:8181/rests/data/network-topology:network-topology/topology=topology-netconf' \--header 'Authorization: Basic YWRtaW44ODphZG1pbg==' \--header 'Cookie: JSESSIONID=node0lprudepcks8ck1w4nv5uiqlm0.node0'

still it succeeeded.

 

There is a inconsistancy here, Also not all requests are handed to the realms for validating. We need to check the Shiro settings and ensure the behavior is the same.

 

Robert Varga March 27, 2023 at 7:59 AM

I do not believe this is an issue: the session cookie is given out after authentication – i.e. as long as the correct cookie is provided, there is no need for additional authentication.

Ivan Hraško March 21, 2023 at 9:28 AM

Can you cite any RFC which claims this is incorrect behaviour?

Venkatrangan Govindarajan March 21, 2023 at 5:09 AM

Solution: As a immediate fix for scenarios that do not require a cookie, the cookies can be disabled. 

But, the reasons why apche shiro ws not handling over the request to ODL Auth realm needs some investigtion.

Details

Assignee

Reporter

Components

Priority

Created March 21, 2023 at 5:07 AM
Updated April 17, 2023 at 7:42 AM