[AAA-256] Authorization Header is ignored when cookie is present Created: 21/Mar/23  Updated: 17/Apr/23

Status: In Review
Project: aaa
Component/s: General
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Medium
Reporter: Venkatrangan Govindarajan Assignee: Venkatrangan Govindarajan
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   
  1. Used netconf-5.0.3 that ships aaa (0.17.6) release.
  2. Issued a get to netconf-toplogy as follows

   

curl -v --location 'http://172.17.0.2:8181/rests/data/network-topology:network-topology/topology=topology-netconf'   --user 'admin:admin'
*   Trying 172.17.0.2...
* TCP_NODELAY set
* Connected to 172.17.0.2 (172.17.0.2) port 8181 (#0)
* Server auth using Basic with user 'admin'
> GET /rests/data/network-topology:network-topology/topology=topology-netconf HTTP/1.1
> Host: 172.17.0.2:8181
> Authorization: Basic YWRtaW46YWRtaW4=
> User-Agent: curl/7.58.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Set-Cookie: JSESSIONID=node018vko67sr5ocytgqohuqzb11z0.node0; Path=/rests; HttpOnly
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Set-Cookie: rememberMe=deleteMe; Path=/rests; Max-Age=0; Expires=Mon, 20-Mar-2023 04:55:46 GMT; SameSite=lax
< ETag: "2013-10-21-topology"
< Last-Modified: 2023-Mar-21 04:55:46
< Content-Type: application/yang-data+json
< Content-Length: 66
< 
* Connection #0 to host 172.17.0.2 left intact
{"network-topology:topology":[{"topology-id":"topology-netconf"}]}

 

3. In the following request, used the same sesion cookie with wrong username/pass.

 curl -v --location 'http://172.17.0.2:8181/rests/data/network-topology:network-topology/topology=topology-netconf'  --header 'Cookie: JSESSIONID=node018vko67sr5ocytgqohuqzb11z0.node0' --user 'admin23:56789'
*   Trying 172.17.0.2...
* TCP_NODELAY set
* Connected to 172.17.0.2 (172.17.0.2) port 8181 (#0)
* Server auth using Basic with user 'admin23'
> GET /rests/data/network-topology:network-topology/topology=topology-netconf HTTP/1.1
> Host: 172.17.0.2:8181
> Authorization: Basic YWRtaW4yMzo1Njc4OQ==
> User-Agent: curl/7.58.0
> Accept: */*
> Cookie: JSESSIONID=node018vko67sr5ocytgqohuqzb11z0.node0
> 
< HTTP/1.1 200 OK
< ETag: "2013-10-21-topology"
< Last-Modified: 2023-Mar-21 05:06:10
< Content-Type: application/yang-data+json
< Content-Length: 66
< 
* Connection #0 to host 172.17.0.2 left intact
{"network-topology:topology":[{"topology-id":"topology-netconf"}]}

 

The GET response was returned. The authorization information was ignored. 

 

The same issue occurs in earlier versions of AAA also.

 

 

 

 Comments   
Comment by Venkatrangan Govindarajan [ 21/Mar/23 ]

Solution: As a immediate fix for scenarios that do not require a cookie, the cookies can be disabled. 

But, the reasons why apche shiro ws not handling over the request to ODL Auth realm needs some investigtion.

Comment by Ivan Hrasko [ 21/Mar/23 ]

Can you cite any RFC which claims this is incorrect behaviour?

Comment by Robert Varga [ 27/Mar/23 ]

I do not believe this is an issue: the session cookie is given out after authentication – i.e. as long as the correct cookie is provided, there is no need for additional authentication.

Comment by Venkatrangan Govindarajan [ 28/Mar/23 ]

rovarga 

 

There is definitely a regression here..

Test with NEtconf-4.0.2 (aaa-0.16.3)

first success!!

curl --location 'http://172.17.0.2:8181/rests/data/network-topology:network-topology/topology=topology-netconf' \--header 'Authorization: Basic YWRtaW46YWRtaW4=' \--header 'Cookie: JSESSIONID=node0scnxu4aqszbihc9p3ez72zlb3.id.node0'

 

Used the same cookie and modified the authorization header....

curl --location 'http://172.17.0.2:8181/rests/data/network-topology:network-topology/topology=topology-netconf' \--header 'Authorization: Basic YWRtaW44ODphZG1pbg==' \--header 'Cookie: JSESSIONID=node0scnxu4aqszbihc9p3ez72zlb3.id.node0'

 Buteven this behavior is not consistent, when the requst is repeated, the wrong authorization header is sometimes allowed!!

 

 

Test with netconf-5.0.4 (aaa-0.17.7)

 

Success trial

curl --location 'http://172.17.0.2:8181/rests/data/network-topology:network-topology/topology=topology-netconf' \--header 'Authorization: Basic YWRtaW46YWRtaW4=' \--header 'Cookie: JSESSIONID=node0lprudepcks8ck1w4nv5uiqlm0.node0'

Changed authorization header,

curl --location 'http://172.17.0.2:8181/rests/data/network-topology:network-topology/topology=topology-netconf' \--header 'Authorization: Basic YWRtaW44ODphZG1pbg==' \--header 'Cookie: JSESSIONID=node0lprudepcks8ck1w4nv5uiqlm0.node0'

still it succeeeded.

 

There is a inconsistancy here, Also not all requests are handed to the realms for validating. We need to check the Shiro settings and ensure the behavior is the same.

 

Generated at Wed Feb 07 19:09:03 UTC 2024 using Jira 8.20.10#820010-sha1:ace47f9899e9ee25d7157d59aa17ab06aee30d3d.