[
https://issues.apache.org/jira/browse/SLING-1116?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12828057#action_12828057
]
Ian Boston commented on SLING-1116:
-----------------------------------
One comment that might be relevant:
I notice that the hash in the cookie is of the form
md5(remoteAddress:path):md5(userId:authRealmsha1({sha1}userPassword))
which makes the cookie static for a user from an address which might be a proxy
address, I which case the cookie is susceptible to capture and reuse.,
remove the remote_address and it effectively becomes a clear text password in
http headers with every request.
I also assumes that Jackrabbit has access to the password, which in the case of
a LoginModulePlugin is not the case.
In a slightly different senario, were we are using a SSO system to authenticate
users we need to have secure cookies to track user identity against each
request and we have used
sha1(expirytime:securetoken:userID)@securetokennumber,expiryt...@userid as the
cookie, where expiry time is the epoch when the cookie becomes invalid,
securetoken number comes for a circular buffer to securetokens, identified by
securetokennumber, that buffer completely refreshing after 2.5 times the TTL on
the cookie. Documented in more detail at [1], implemented at [2].
The approach isn't totally secure (nothing is), and still needs to have the
whole server operating over ssl, but the tokens do expire. The downside is that
the circular buffer of secure tokens needs to be distributed in a cluster, and
persisted, however 5x20 bytes changing every 10 minutes shouldn't be too hard
to distribute.
Also if you want to avoid having to manage special Credentials you might
consider using SimpleCredentials with a special attribute class as this wont
require JAAS style callbacks to get round the strong JR->SimpleCredentials
bindings.
1
http://confluence.sakaiproject.org/display/KERNDOC/KERN-579+Trusted+Authentication
(scroll to the bit on Cookies)
2
http://github.com/ieb/open-experiments/tree/master/slingtests/osgikernel/bundles/trustedauth/
> FORM Based Authentication
> -------------------------
>
> Key: SLING-1116
> URL: https://issues.apache.org/jira/browse/SLING-1116
> Project: Sling
> Issue Type: New Feature
> Components: Extensions
> Reporter: Eric Norman
> Assignee: Felix Meschberger
> Attachments: org.apache.sling.cookieauth.zip,
> org.apache.sling.sessionauth.zip, SLING_1116_jackrabbit_server_patch.txt,
> updated_org.apache.sling.cookieauth.zip
>
>
> This is a new bundle that provides an implementation of forms based
> authentication for sling.
> The login/logout servlets from the org.apache.sling.commons.auth are used.
> The AuthenticationHandler will use http basic auth credentials if they are on
> the request, otherwise it will use the user/pwd posted from the login form.
> The login form html is generated by a set of scripts
> 1. login.html.esp - full login page (includes login_body.html.esp for the
> form markup)
> 2. login_body.html.esp - just the login form, which may be useful for
> drawing the login form for an ajax context
> 3. loginError.html.esp - full login-error page
> 4. loginError_body.html.esp - just the login-error form, for login error in
> ajax context
> The above scripts are included as bundle-resources @
> /libs/sling/servlet/default
> The bundle also has a couple of test scripts to show some examples of usage:
> 1. loginTest.html.esp - shows who is logged in and links to login or logout
> 2. loginTest2.html.esp - shows how a script can check permissions and show a
> login page if the anonymous user doesn't have permission to see the page,
> Some examples of usage are:
> 1. http://host:port/path/to/node.login.html - show the login page and then
> goto http://host:port/path/to/node after authenticated
> 2. http://host:port/path/to/node.login.html?s=.edit.html - show the login
> page and then goto http://host:port/path/to/node.edit.html after
> authenticated
> 3. http://host:port/system/sling/logout - invalidate the session and switch
> back to anonymous user
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
