OpenDaylight JIRA https://jira.opendaylight.org This file is an XML representation of an issue en-us 8.20.10 820010 22-06-2022 [AAA-256] Authorization Header is ignored when cookie is present https://jira.opendaylight.org/browse/AAA-256 aaa <ol> <li>Used netconf-5.0.3 that ships aaa (0.17.6) release.</li> <li>Issued a get to netconf-toplogy as follows</li> </ol> <p>   </p> <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> <pre class="code-java"> curl -v --location <span class="code-quote">'http:<span class="code-comment">//172.17.0.2:8181/rests/data/network-topology:network-topology/topology=topology-netconf'</span>   --user <span class="code-quote">'admin:admin'</span> </span>*   Trying 172.17.0.2... * TCP_NODELAY set * Connected to 172.17.0.2 (172.17.0.2) port 8181 (#0) * Server auth using Basic with user <span class="code-quote">'admin'</span> &gt; GET /rests/data/network-topology:network-topology/topology=topology-netconf HTTP/1.1 &gt; Host: 172.17.0.2:8181 &gt; Authorization: Basic YWRtaW46YWRtaW4= &gt; User-Agent: curl/7.58.0 &gt; Accept: */* &gt;  &lt; HTTP/1.1 200 OK &lt; Set-Cookie: JSESSIONID=node018vko67sr5ocytgqohuqzb11z0.node0; Path=/rests; HttpOnly &lt; Expires: Thu, 01 Jan 1970 00:00:00 GMT &lt; Set-Cookie: rememberMe=deleteMe; Path=/rests; Max-Age=0; Expires=Mon, 20-Mar-2023 04:55:46 GMT; SameSite=lax &lt; ETag: <span class="code-quote">"2013-10-21-topology"</span> &lt; Last-Modified: 2023-Mar-21 04:55:46 &lt; Content-Type: application/yang-data+json &lt; Content-Length: 66 &lt;  * Connection #0 to host 172.17.0.2 left intact {<span class="code-quote">"network-topology:topology"</span>:[{<span class="code-quote">"topology-id"</span>:<span class="code-quote">"topology-netconf"</span>}]} </pre> </div></div> <p> </p> <p>3. In the following request, used the same sesion cookie with wrong username/pass.</p> <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> <pre class="code-java">  curl -v --location <span class="code-quote">'http:<span class="code-comment">//172.17.0.2:8181/rests/data/network-topology:network-topology/topology=topology-netconf'</span>  --header <span class="code-quote">'Cookie: JSESSIONID=node018vko67sr5ocytgqohuqzb11z0.node0'</span> --user <span class="code-quote">'admin23:56789'</span> </span>*   Trying 172.17.0.2... * TCP_NODELAY set * Connected to 172.17.0.2 (172.17.0.2) port 8181 (#0) * Server auth using Basic with user <span class="code-quote">'admin23'</span> &gt; GET /rests/data/network-topology:network-topology/topology=topology-netconf HTTP/1.1 &gt; Host: 172.17.0.2:8181 &gt; Authorization: Basic YWRtaW4yMzo1Njc4OQ== &gt; User-Agent: curl/7.58.0 &gt; Accept: */* &gt; Cookie: JSESSIONID=node018vko67sr5ocytgqohuqzb11z0.node0 &gt;  &lt; HTTP/1.1 200 OK &lt; ETag: <span class="code-quote">"2013-10-21-topology"</span> &lt; Last-Modified: 2023-Mar-21 05:06:10 &lt; Content-Type: application/yang-data+json &lt; Content-Length: 66 &lt;  * Connection #0 to host 172.17.0.2 left intact {<span class="code-quote">"network-topology:topology"</span>:[{<span class="code-quote">"topology-id"</span>:<span class="code-quote">"topology-netconf"</span>}]} </pre> </div></div> <p> </p> <p>The GET response was returned. The authorization information was ignored. </p> <p> </p> <p>The same issue occurs in earlier versions of AAA also.</p> <p> </p> <p> </p> <p> </p> AAA-256 Authorization Header is ignored when cookie is present Bug Medium In Review Unresolved Venkatrangan Govindarajan Venkatrangan Govindarajan Tue, 21 Mar 2023 05:07:02 +0000 Mon, 17 Apr 2023 07:42:38 +0000 General 0 3 <p>Solution: As a immediate fix for scenarios that do not require a cookie, the cookies can be disabled. </p> <p>But, the reasons why apche shiro ws not handling over the request to ODL Auth realm needs some investigtion.</p> <p>Can you cite any RFC which claims this is incorrect behaviour?</p> <p>I do not believe this is an issue: the session cookie is given out after authentication &#8211; i.e. as long as the correct cookie is provided, there is no need for additional authentication.</p> <p><a href="https://jira.opendaylight.org/secure/ViewProfile.jspa?name=rovarga" class="user-hover" rel="rovarga">rovarga</a> </p> <p> </p> <p>There is definitely a regression here..</p> <p>Test with NEtconf-4.0.2 (aaa-0.16.3)</p> <p>first success!!</p> <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> <pre class="code-java">curl --location <span class="code-quote">'http:<span class="code-comment">//172.17.0.2:8181/rests/data/network-topology:network-topology/topology=topology-netconf'</span> \--header <span class="code-quote">'Authorization: Basic YWRtaW46YWRtaW4='</span> \--header <span class="code-quote">'Cookie: JSESSIONID=node0scnxu4aqszbihc9p3ez72zlb3.id.node0'</span> </span> </pre> </div></div> <p> </p> <p>Used the same cookie and modified the authorization header....</p> <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> <pre class="code-java">curl --location <span class="code-quote">'http:<span class="code-comment">//172.17.0.2:8181/rests/data/network-topology:network-topology/topology=topology-netconf'</span> \--header <span class="code-quote">'Authorization: Basic YWRtaW44ODphZG1pbg=='</span> \--header <span class="code-quote">'Cookie: JSESSIONID=node0scnxu4aqszbihc9p3ez72zlb3.id.node0'</span> </span></pre> </div></div> <p> Buteven this behavior is not consistent, when the requst is repeated, the wrong authorization header is sometimes allowed!!</p> <p> </p> <p> </p> <p>Test with netconf-5.0.4 (aaa-0.17.7)</p> <p> </p> <p>Success trial</p> <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> <pre class="code-java">curl --location <span class="code-quote">'http:<span class="code-comment">//172.17.0.2:8181/rests/data/network-topology:network-topology/topology=topology-netconf'</span> \--header <span class="code-quote">'Authorization: Basic YWRtaW46YWRtaW4='</span> \--header <span class="code-quote">'Cookie: JSESSIONID=node0lprudepcks8ck1w4nv5uiqlm0.node0'</span> </span></pre> </div></div> <p>Changed authorization header,</p> <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> <pre class="code-java">curl --location <span class="code-quote">'http:<span class="code-comment">//172.17.0.2:8181/rests/data/network-topology:network-topology/topology=topology-netconf'</span> \--header <span class="code-quote">'Authorization: Basic YWRtaW44ODphZG1pbg=='</span> \--header <span class="code-quote">'Cookie: JSESSIONID=node0lprudepcks8ck1w4nv5uiqlm0.node0'</span> </span></pre> </div></div> <p>still it succeeeded.</p> <p> </p> <p>There is a inconsistancy here, Also not all requests are handed to the realms for validating. We need to check the Shiro settings and ensure the behavior is the same.</p> <p> </p> Development Rank 0|i044lj: