[AAA-13] ClaimAuthFilter should only process requests from trusted HTTP proxy Created: 18/Sep/14 Updated: 21/Mar/19 Resolved: 25/Sep/14 |
|
| Status: | Resolved |
| Project: | aaa |
| Component/s: | General |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Bug | ||
| Reporter: | John Dennis | Assignee: | John Dennis |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Operating System: All |
||
| External issue ID: | 1964 |
| Description |
|
ClaimAuthFilter uses metadata provided in the request (through either HTTP or AJP protocols) and accepts this metadata as validated authetication. It is easy to forge this metadata. The metadata is provided by an HTTP proxy (i.e. Apache performing the authentication and identity lookup). Therefore it is essential that the servlets only accept connections from the trusted HTTP proxy and no other clients. We need to define a configuration option that identifies what the trusted ports are and enforce the use of those ports by ignoring any request whose local port is not in the list of trusted ports. The configuration of the trusted ports is part of the deployment steps. |
| Comments |
| Comment by Liem Nguyen [ 25/Sep/14 ] |
|
I believe this has been addressed by the following check-ins: https://git.opendaylight.org/gerrit/#/c/11343/ |