Uploaded image for project: 'aaa'
  1. aaa
  2. AAA-256

Authorization Header is ignored when cookie is present

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Medium Medium
    • None
    • None
    • General
    • None

      1. Used netconf-5.0.3 that ships aaa (0.17.6) release.
      2. Issued a get to netconf-toplogy as follows

         

      curl -v --location 'http://172.17.0.2:8181/rests/data/network-topology:network-topology/topology=topology-netconf'   --user 'admin:admin'
*   Trying 172.17.0.2...
* TCP_NODELAY set
* Connected to 172.17.0.2 (172.17.0.2) port 8181 (#0)
* Server auth using Basic with user 'admin'
> GET /rests/data/network-topology:network-topology/topology=topology-netconf HTTP/1.1
> Host: 172.17.0.2:8181
> Authorization: Basic YWRtaW46YWRtaW4=
> User-Agent: curl/7.58.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Set-Cookie: JSESSIONID=node018vko67sr5ocytgqohuqzb11z0.node0; Path=/rests; HttpOnly
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Set-Cookie: rememberMe=deleteMe; Path=/rests; Max-Age=0; Expires=Mon, 20-Mar-2023 04:55:46 GMT; SameSite=lax
< ETag: "2013-10-21-topology"
< Last-Modified: 2023-Mar-21 04:55:46
< Content-Type: application/yang-data+json
< Content-Length: 66
< 
* Connection #0 to host 172.17.0.2 left intact
{"network-topology:topology":[{"topology-id":"topology-netconf"}]}

       

      3. In the following request, used the same sesion cookie with wrong username/pass.

       curl -v --location 'http://172.17.0.2:8181/rests/data/network-topology:network-topology/topology=topology-netconf'  --header 'Cookie: JSESSIONID=node018vko67sr5ocytgqohuqzb11z0.node0' --user 'admin23:56789'
*   Trying 172.17.0.2...
* TCP_NODELAY set
* Connected to 172.17.0.2 (172.17.0.2) port 8181 (#0)
* Server auth using Basic with user 'admin23'
> GET /rests/data/network-topology:network-topology/topology=topology-netconf HTTP/1.1
> Host: 172.17.0.2:8181
> Authorization: Basic YWRtaW4yMzo1Njc4OQ==
> User-Agent: curl/7.58.0
> Accept: */*
> Cookie: JSESSIONID=node018vko67sr5ocytgqohuqzb11z0.node0
> 
< HTTP/1.1 200 OK
< ETag: "2013-10-21-topology"
< Last-Modified: 2023-Mar-21 05:06:10
< Content-Type: application/yang-data+json
< Content-Length: 66
< 
* Connection #0 to host 172.17.0.2 left intact
{"network-topology:topology":[{"topology-id":"topology-netconf"}]}

       

      The GET response was returned. The authorization information was ignored. 

       

      The same issue occurs in earlier versions of AAA also.

       

       

       

            gvrangan Venkatrangan Govindarajan
            gvrangan Venkatrangan Govindarajan
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: