[#CONTROLLER-1235] odl-mdsal-apidocs feature is not protected through AAA

[CONTROLLER-1235] odl-mdsal-apidocs feature is not protected through AAA Created: 02/Apr/15 Updated: 25/Jul/23 Resolved: 05/May/15
Status:	Resolved
Project:	controller
Component/s:	restconf
Affects Version/s:	None
Fix Version/s:	None

Type:

Bug

Reporter:

Ryan Goulding

Assignee:

Unassigned

Resolution:

Done

Votes:

Labels:

None

Remaining Estimate:

Not Specified

Time Spent:

Not Specified

Original Estimate:

Not Specified

Environment:

Operating System: All
Platform: All

External issue ID:

2942

Description

The URLS supported by the odl-mdsal-apidocs are not protected by the controller's AAA. This is a security vulnerability when the security model prohibits any access to the controller without authentication.

Comments

Comment by Ryan Goulding [ 03/Apr/15 ]

The fix for this Bug was tested by:

1) Running karaf
cd controller
./opendaylight/distribution/opendaylight-karaf/target/assembly/bin/karaf debug

2) feature:install odl-restconf odl-mdsal-apidocs

3) Visiting the api explorer web page, and ensuring that the page is not loaded until valid AuthN was supplied.

http://localhost:8181/apidoc/explorer/index.html

This test was done using:
1) Google Chrome Version 41.0.2272.101 (64-bit)
2) Mozilla Firefox Version 36.0.4
On Fedora 20 with kernel "Linux fedora 3.18.9-100.fc20.x86_64".

Comment by Carol Sanders [ 05/May/15 ]

This bug is part of the project to Move all ADSAL associated component bugs to ADSAL.

Comment by Ryan Goulding [ 05/May/15 ]

This is not an ADSAL bug.

Generated at Wed Feb 07 19:55:01 UTC 2024 using Jira 8.20.10#820010-sha1:ace47f9899e9ee25d7157d59aa17ab06aee30d3d.

[CONTROLLER-1235] odl-mdsal-apidocs feature is not protected through AAA Created: 02/Apr/15 Updated: 25/Jul/23 Resolved: 05/May/15