[AAA-13] ClaimAuthFilter should only process requests from trusted HTTP proxy - OpenDaylight JIRA

XML

Word

Printable

Details

Type: Bug
Status: Resolved
Resolution: Done
Affects Version/s: None
Fix Version/s: None
Component/s: General
Labels:
None
Environment:

Operating System: All
Platform: All

External issue ID:
1964

Description

ClaimAuthFilter uses metadata provided in the request (through either HTTP or AJP protocols) and accepts this metadata as validated authetication. It is easy to forge this metadata. The metadata is provided by an HTTP proxy (i.e. Apache performing the authentication and identity lookup). Therefore it is essential that the servlets only accept connections from the trusted HTTP proxy and no other clients. We need to define a configuration option that identifies what the trusted ports are and enforce the use of those ports by ignoring any request whose local port is not in the list of trusted ports.

The configuration of the trusted ports is part of the deployment steps.

Attachments

Gerrit Reviews

- Issue Only
- Show All Reviews
- Show Open Reviews
- Show All Issues
- Show Open Issues

No reviews matched the request. Check your Options in the drop-down menu of this sections header.

Activity

People

Assignee:: John Dennis

Reporter:: John Dennis

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 18/Sep/14 11:56 PM

Updated:: 21/Mar/19 11:56 AM

Resolved:: 25/Sep/14 4:52 PM