Re: [Dev] [VOTE] Release WSO2 Private PaaS 4.1.0 RC1
On Tue, Oct 20, 2015 at 10:25 PM, Akila Ravihansa Pererawrote: > > > I think the proper way to secure the Jaggery services is by using SSO. > I tend to disagree on this statement. SSO is used when authenticating a human to a series of software systems. An API should not use SSO for authentication rather it should use session based authentication either by creating session tokens or API Keys, refer this [3]. > According to the thread on wso2dev@ with subject "SingleSignOn support in > DAS Analytics Dashboard" this is not yet supported in DAS. The approach > taken in analytics.jsg as you mentioned require a separate login screen as > in [1]. IMHO, this is not a suitable method to secure a Jaggery based API. > > No, have a look at the analytics.jag authentication logic. It first accepts an Authorization header and creates a session token. Authorization header can accept basic auth, see [4]. Afterwards corresponding calls are authenticated using authToken/JSESSIONID. > Regarding table names in SQL queries; this is not the best approach to > design the API but these table names are escaped from request parameters > [2] which would minimize the risk of a SQL injection attack. This is > definitely a potential security issue as well as an API design issue we > need to fix. But I think fixing this will need a major refactoring to the > Jaggery files. wdyt? > No, we can simply fix this by creating an API per table/entity. > > [1] > https://github.com/wso2/carbon-dashboards/blob/master/apps/portal/theme/templates/login.jag > [2] > https://github.com/wso2/product-private-paas/blob/v4.1.0-rc1/extensions/das/artifacts/metering-dashboard/jaggery-files/member-info.jag#L26 > > [3] https://www.owasp.org/index.php/REST_Security_Cheat_Sheet [4] https://github.com/wso2/carbon-analytics/blob/d7d4f7c31981eb6aff8921fefba7c030eb11a80a/components/analytics-io/org.wso2.carbon.analytics.jsservice/src/main/java/org/wso2/carbon/analytics/jsservice/Utils.java#L352 Thanks On Tue, Oct 20, 2015 at 10:25 PM, Akila Ravihansa Perera wrote: > Hi Imesh, > > I think the proper way to secure the Jaggery services is by using SSO. > According to the thread on wso2dev@ with subject "SingleSignOn support in > DAS Analytics Dashboard" this is not yet supported in DAS. The approach > taken in analytics.jsg as you mentioned require a separate login screen as > in [1]. IMHO, this is not a suitable method to secure a Jaggery based API. > > Regarding table names in SQL queries; this is not the best approach to > design the API but these table names are escaped from request parameters > [2] which would minimize the risk of a SQL injection attack. This is > definitely a potential security issue as well as an API design issue we > need to fix. But I think fixing this will need a major refactoring to the > Jaggery files. wdyt? > > [1] > https://github.com/wso2/carbon-dashboards/blob/master/apps/portal/theme/templates/login.jag > [2] > https://github.com/wso2/product-private-paas/blob/v4.1.0-rc1/extensions/das/artifacts/metering-dashboard/jaggery-files/member-info.jag#L26 > > Thanks. > > On Tue, Oct 20, 2015 at 8:38 PM, Imesh Gunaratne wrote: > >> Hi, >> >> It looks like there are two security issues in the APIs exposed by the >> DAS metering and monitoring dashboards [1], [2]: >> >>- APIs have no authentication mechanism >>- Table name is concatenated in the SQL queries >> >> We may need to add an authentication check similar to analytics.jag [3]: >> >> var authParam = request.getHeader(AUTHORIZATION_HEADER); >> if (authParam != null) { >> credentials = JSUtils.authenticate(authParam); >> authenticationAdminStub = new >> AuthenticationAdminStub(authenticationWSUrl); >> authenticationAdminStub.login(credentials[0], credentials[1], >> LOCALHOST); >> var serviceContext = >> authenticationAdminStub._getServiceClient().getLastOperationContext() >> .getServiceContext(); >> var sessionCookie = >> serviceContext.getProperty(HTTPConstants.COOKIE_STRING); >> options.setProperty(HTTPConstants.COOKIE_STRING, sessionCookie); >> } else { >> var token = session.get(AUTH_TOKEN); >> if (token != null) { >> options.setProperty(HTTPConstants.COOKIE_STRING, token); >> } else { >> log.error("user is not authenticated!"); >> response.status = HTTP_USER_NOT_AUTHENTICATED; >> print('{ "status": "Failed", "message": "User is not >> authenticated." }'); >> return; >> } >> } >> >> In addition we may need to avoid concatenating table names in SQL queries. >> >> [1] >> https://github.com/wso2/product-private-paas/tree/v4.1.0-rc1/extensions/das/artifacts/metering-dashboard/jaggery-files >> [2] >> https://github.com/wso2/product-private-paas/tree/v4.1.0-rc1/extensions/das/artifacts/monitoring-dashboard/jaggery-files >> [3] >>
Re: [Dev] [VOTE] Release WSO2 Private PaaS 4.1.0 RC1
Hi, On Tue, Oct 20, 2015 at 11:08 PM, Imesh Gunaratnewrote: > On Tue, Oct 20, 2015 at 10:25 PM, Akila Ravihansa Perera < > raviha...@wso2.com> wrote: >> >> >> I think the proper way to secure the Jaggery services is by using SSO. >> > > I tend to disagree on this statement. SSO is used when authenticating a > human to a series of software systems. An API should not use SSO for > authentication rather it should use session based authentication either by > creating session tokens or API Keys, refer this [3]. > > >> According to the thread on wso2dev@ with subject "SingleSignOn support >> in DAS Analytics Dashboard" this is not yet supported in DAS. The approach >> taken in analytics.jsg as you mentioned require a separate login screen as >> in [1]. IMHO, this is not a suitable method to secure a Jaggery based API. >> >> No, have a look at the analytics.jag authentication logic. It first > accepts an Authorization header and creates a session token. Authorization > header can accept basic auth, see [4]. Afterwards corresponding calls are > authenticated using authToken/JSESSIONID. > Agree with Imesh.I think we need to consider authToken based authentication that's simplify our requirement. > > >> Regarding table names in SQL queries; this is not the best approach to >> design the API but these table names are escaped from request parameters >> [2] which would minimize the risk of a SQL injection attack. This is >> definitely a potential security issue as well as an API design issue we >> need to fix. But I think fixing this will need a major refactoring to the >> Jaggery files. wdyt? >> > > No, we can simply fix this by creating an API per table/entity. > You mean to have separate API for each table in the database? So if there 10 tables , there will be more than 10 APIs. I think it wont work when there are more no of tables. What about we selecting the table inside the API method based on the scenario? Main security vulnerability here is those APIs expect the table name as a request parameter. We need to remove this. Thanks, Gayan > >> [1] >> https://github.com/wso2/carbon-dashboards/blob/master/apps/portal/theme/templates/login.jag >> [2] >> https://github.com/wso2/product-private-paas/blob/v4.1.0-rc1/extensions/das/artifacts/metering-dashboard/jaggery-files/member-info.jag#L26 >> >> [3] https://www.owasp.org/index.php/REST_Security_Cheat_Sheet > [4] > https://github.com/wso2/carbon-analytics/blob/d7d4f7c31981eb6aff8921fefba7c030eb11a80a/components/analytics-io/org.wso2.carbon.analytics.jsservice/src/main/java/org/wso2/carbon/analytics/jsservice/Utils.java#L352 > > Thanks > > On Tue, Oct 20, 2015 at 10:25 PM, Akila Ravihansa Perera < > raviha...@wso2.com> wrote: > >> Hi Imesh, >> >> I think the proper way to secure the Jaggery services is by using SSO. >> According to the thread on wso2dev@ with subject "SingleSignOn support >> in DAS Analytics Dashboard" this is not yet supported in DAS. The approach >> taken in analytics.jsg as you mentioned require a separate login screen as >> in [1]. IMHO, this is not a suitable method to secure a Jaggery based API. >> >> Regarding table names in SQL queries; this is not the best approach to >> design the API but these table names are escaped from request parameters >> [2] which would minimize the risk of a SQL injection attack. This is >> definitely a potential security issue as well as an API design issue we >> need to fix. But I think fixing this will need a major refactoring to the >> Jaggery files. wdyt? >> >> [1] >> https://github.com/wso2/carbon-dashboards/blob/master/apps/portal/theme/templates/login.jag >> [2] >> https://github.com/wso2/product-private-paas/blob/v4.1.0-rc1/extensions/das/artifacts/metering-dashboard/jaggery-files/member-info.jag#L26 >> >> Thanks. >> >> On Tue, Oct 20, 2015 at 8:38 PM, Imesh Gunaratne wrote: >> >>> Hi, >>> >>> It looks like there are two security issues in the APIs exposed by the >>> DAS metering and monitoring dashboards [1], [2]: >>> >>>- APIs have no authentication mechanism >>>- Table name is concatenated in the SQL queries >>> >>> We may need to add an authentication check similar to analytics.jag [3]: >>> >>> var authParam = request.getHeader(AUTHORIZATION_HEADER); >>> if (authParam != null) { >>> credentials = JSUtils.authenticate(authParam); >>> authenticationAdminStub = new >>> AuthenticationAdminStub(authenticationWSUrl); >>> authenticationAdminStub.login(credentials[0], credentials[1], >>> LOCALHOST); >>> var serviceContext = >>> authenticationAdminStub._getServiceClient().getLastOperationContext() >>> .getServiceContext(); >>> var sessionCookie = >>> serviceContext.getProperty(HTTPConstants.COOKIE_STRING); >>> options.setProperty(HTTPConstants.COOKIE_STRING, sessionCookie); >>> } else { >>> var token = session.get(AUTH_TOKEN); >>> if (token != null) { >>>
Re: [Dev] [VOTE] Release WSO2 Private PaaS 4.1.0 RC1
On Wed, Oct 21, 2015 at 12:22 AM, Akila Ravihansa Pererawrote: > > Please see inline. Sorry to drag this, but I think it's better to clarify > unclear areas :) > +1 > >>> Yes that's true but in a such design any other external system will not >> be able to to access the APIs using API Keys without having to integrate >> with the same SSO solution. >> > > I tend to disagree. Using a compatible Identity Provider (for eg: WSO2 IS) > we can secure the API using multiple grant types. In this scenario API can > be secured via SSO but not limited to that. > > AFAIU grant types and API keys are different. API keys can be pre-generated for a particular user and used in a X system for accessing an API (Example: EC2 access & secret keys). As long as X system has the API keys it does not need to talk to an Identity Provider to obtain a token based on a grant type. > >>> >> May be this was not clear. We do not need a login page to make a request >> to an API endpoint which is secured with Basic Auth. We can make a HTTP >> call with an Authorization header having credentials (Base64 encoded) via >> HTTPS. >> > > If we are going to send the Authorization header then we need to get the > credentials from the user first. I'm not clear how you plan to implement > this without a login screen. How do you propose to create this header in > client request? > > My concern is that when a system A is talking to a system B where system B has a dashboard where it talks to its own API, system A does not need to worry about the API call of system B. System A only needs a way to authenticate to system B. System B should handle how it authenticate to its own API. In an ideal situation we need to use SSO between system A and B assuming that the enduser needs to access both systems as a part of a single solution. However it does not mean that the API of system B should use the same SSO system for authentication. IMO if the API of system B is generic and needed by third party systems it should have a more user friendly authentication system such as API Keys. > >>> Thanks On Wed, Oct 21, 2015 at 12:22 AM, Akila Ravihansa Perera wrote: > Hi Imesh, > > Please see inline. Sorry to drag this, but I think it's better to clarify > unclear areas :) > > SSO can be used to authenticate the user who is accessing the >>> monitoring/metering dashboard, thereby authenticating him to the API as >>> well. We don't need to maintain a session token/cookie for this which is an >>> overhead for this scenario, IMO. >>> >>> >> Yes that's true but in a such design any other external system will not >> be able to to access the APIs using API Keys without having to integrate >> with the same SSO solution. >> > > I tend to disagree. Using a compatible Identity Provider (for eg: WSO2 IS) > we can secure the API using multiple grant types. In this scenario API can > be secured via SSO but not limited to that. > > >> Imagine Twitter has exposed set of APIs using Twitter SSO solution. Now >> if we were to consume those APIs in a X system. This X system needs to >> integrate with Twitter SSO solution first. IMO this is not a good design, >> ideally those APIs should be accessible with API Keys. This is how actually >> Twitter has exposed their APIs. >> >>> >>> If we are using basic auth, the user needs to submit the credentials via >>> a form, which is again an overhead. Any implementation of >>> authToken/JSESSIONID would require the user to submit credential at some >>> layer. What I'm suggesting is to authenticate the user via SSO to the DAS >>> dashboard, which would authenticate him to the API as well. I'm -1 on >>> developing a separate login screen for this. >>> >>> >> May be this was not clear. We do not need a login page to make a request >> to an API endpoint which is secured with Basic Auth. We can make a HTTP >> call with an Authorization header having credentials (Base64 encoded) via >> HTTPS. >> > > If we are going to send the Authorization header then we need to get the > credentials from the user first. I'm not clear how you plan to implement > this without a login screen. How do you propose to create this header in > client request? > > >> >>> This would not be manageable as we add entities in future I think. We >>> can handle this internally by not using the request parameter variable to >>> create the query. But rather choose the correct sql query conditionally >>> based on the request parameter. This would basically result in rewriting >>> all Jaggery files. >>> >> > > >> >> Yes ideally it should be the context path (/api/member -> member table, >> /api/cluster/health -> cluster health table, etc) >> > > +1 > > > >> >> Thanks >> >> On Tue, Oct 20, 2015 at 11:40 PM, Akila Ravihansa Perera < >> raviha...@wso2.com> wrote: >> >>> Hi Gayan, >>> >>> The code reference you pointed at [1] is used in a prepared SQL >>> statement [2]. The risk of SQL injection attack is minimal in that case,
Re: [Dev] [VOTE] Release WSO2 Private PaaS 4.1.0 RC1
On Tue, Oct 20, 2015 at 11:27 PM, Gayan Gunarathnewrote: > > >> >>> Regarding table names in SQL queries; this is not the best approach to >>> design the API but these table names are escaped from request parameters >>> [2] which would minimize the risk of a SQL injection attack. This is >>> definitely a potential security issue as well as an API design issue we >>> need to fix. But I think fixing this will need a major refactoring to the >>> Jaggery files. wdyt? >>> >> >> No, we can simply fix this by creating an API per table/entity. >> > > You mean to have separate API for each table in the database? So if there > 10 tables , there will be more than 10 APIs. I think it wont work when > there are more no of tables. > We already have separate APIs for each entity. Yes may be we can have one API implementation which could internally identify the entity based on the context path (similar to Java RESTful services). On Tue, Oct 20, 2015 at 11:33 PM, Akila Ravihansa Perera wrote: > > > SSO can be used to authenticate the user who is accessing the > monitoring/metering dashboard, thereby authenticating him to the API as > well. We don't need to maintain a session token/cookie for this which is an > overhead for this scenario, IMO. > > Yes that's true but in a such design any other external system will not be able to to access the APIs using API Keys without having to integrate with the same SSO solution. Imagine Twitter has exposed set of APIs using Twitter SSO solution. Now if we were to consume those APIs in a X system. This X system needs to integrate with Twitter SSO solution first. IMO this is not a good design, ideally those APIs should be accessible with API Keys. This is how actually Twitter has exposed their APIs. > >> > If we are using basic auth, the user needs to submit the credentials via a > form, which is again an overhead. Any implementation of > authToken/JSESSIONID would require the user to submit credential at some > layer. What I'm suggesting is to authenticate the user via SSO to the DAS > dashboard, which would authenticate him to the API as well. I'm -1 on > developing a separate login screen for this. > > May be this was not clear. We do not need a login page to make a request to an API endpoint which is secured with Basic Auth. We can make a HTTP call with an Authorization header having credentials (Base64 encoded) via HTTPS. > >> > This would not be manageable as we add entities in future I think. We can > handle this internally by not using the request parameter variable to > create the query. But rather choose the correct sql query conditionally > based on the request parameter. This would basically result in rewriting > all Jaggery files. > Yes ideally it should be the context path (/api/member -> member table, /api/cluster/health -> cluster health table, etc) Thanks On Tue, Oct 20, 2015 at 11:40 PM, Akila Ravihansa Perera wrote: > Hi Gayan, > > The code reference you pointed at [1] is used in a prepared SQL statement > [2]. The risk of SQL injection attack is minimal in that case, AFAIU. > > [1] > https://github.com/wso2/product-private-paas/blob/v4.1.0-rc1/extensions/das/artifacts/metering-dashboard/jaggery-files/member-info.jag#L49 > [2] > https://github.com/wso2/product-private-paas/blob/v4.1.0-rc1/extensions/das/artifacts/metering-dashboard/jaggery-files/member-info.jag#L53 > > Thanks. > > On Tue, Oct 20, 2015 at 11:33 PM, Akila Ravihansa Perera < > raviha...@wso2.com> wrote: > >> Hi Imesh, >> >> Please see inline. >> >> On Tue, Oct 20, 2015 at 11:08 PM, Imesh Gunaratne wrote: >> >>> On Tue, Oct 20, 2015 at 10:25 PM, Akila Ravihansa Perera < >>> raviha...@wso2.com> wrote: I think the proper way to secure the Jaggery services is by using SSO. >>> >>> I tend to disagree on this statement. SSO is used when authenticating a >>> human to a series of software systems. An API should not use SSO for >>> authentication rather it should use session based authentication either by >>> creating session tokens or API Keys, refer this [3]. >>> >> >> SSO can be used to authenticate the user who is accessing the >> monitoring/metering dashboard, thereby authenticating him to the API as >> well. We don't need to maintain a session token/cookie for this which is an >> overhead for this scenario, IMO. >> >> >>> >>> According to the thread on wso2dev@ with subject "SingleSignOn support in DAS Analytics Dashboard" this is not yet supported in DAS. The approach taken in analytics.jsg as you mentioned require a separate login screen as in [1]. IMHO, this is not a suitable method to secure a Jaggery based API. No, have a look at the analytics.jag authentication logic. It first >>> accepts an Authorization header and creates a session token. Authorization >>> header can accept basic auth, see [4]. Afterwards corresponding calls are >>> authenticated using
Re: [Dev] [VOTE] Release WSO2 Private PaaS 4.1.0 RC1
Hi Imesh, Please see inline. On Tue, Oct 20, 2015 at 11:08 PM, Imesh Gunaratnewrote: > On Tue, Oct 20, 2015 at 10:25 PM, Akila Ravihansa Perera < > raviha...@wso2.com> wrote: >> >> >> I think the proper way to secure the Jaggery services is by using SSO. >> > > I tend to disagree on this statement. SSO is used when authenticating a > human to a series of software systems. An API should not use SSO for > authentication rather it should use session based authentication either by > creating session tokens or API Keys, refer this [3]. > SSO can be used to authenticate the user who is accessing the monitoring/metering dashboard, thereby authenticating him to the API as well. We don't need to maintain a session token/cookie for this which is an overhead for this scenario, IMO. > > >> According to the thread on wso2dev@ with subject "SingleSignOn support >> in DAS Analytics Dashboard" this is not yet supported in DAS. The approach >> taken in analytics.jsg as you mentioned require a separate login screen as >> in [1]. IMHO, this is not a suitable method to secure a Jaggery based API. >> >> No, have a look at the analytics.jag authentication logic. It first > accepts an Authorization header and creates a session token. Authorization > header can accept basic auth, see [4]. Afterwards corresponding calls are > authenticated using authToken/JSESSIONID. > If we are using basic auth, the user needs to submit the credentials via a form, which is again an overhead. Any implementation of authToken/JSESSIONID would require the user to submit credential at some layer. What I'm suggesting is to authenticate the user via SSO to the DAS dashboard, which would authenticate him to the API as well. I'm -1 on developing a separate login screen for this. > > >> Regarding table names in SQL queries; this is not the best approach to >> design the API but these table names are escaped from request parameters >> [2] which would minimize the risk of a SQL injection attack. This is >> definitely a potential security issue as well as an API design issue we >> need to fix. But I think fixing this will need a major refactoring to the >> Jaggery files. wdyt? >> > > No, we can simply fix this by creating an API per table/entity. > This would not be manageable as we add entities in future I think. We can handle this internally by not using the request parameter variable to create the query. But rather choose the correct sql query conditionally based on the request parameter. This would basically result in rewriting all Jaggery files. Thanks. > >> [1] >> https://github.com/wso2/carbon-dashboards/blob/master/apps/portal/theme/templates/login.jag >> [2] >> https://github.com/wso2/product-private-paas/blob/v4.1.0-rc1/extensions/das/artifacts/metering-dashboard/jaggery-files/member-info.jag#L26 >> >> [3] https://www.owasp.org/index.php/REST_Security_Cheat_Sheet > [4] > https://github.com/wso2/carbon-analytics/blob/d7d4f7c31981eb6aff8921fefba7c030eb11a80a/components/analytics-io/org.wso2.carbon.analytics.jsservice/src/main/java/org/wso2/carbon/analytics/jsservice/Utils.java#L352 > > Thanks > > On Tue, Oct 20, 2015 at 10:25 PM, Akila Ravihansa Perera < > raviha...@wso2.com> wrote: > >> Hi Imesh, >> >> I think the proper way to secure the Jaggery services is by using SSO. >> According to the thread on wso2dev@ with subject "SingleSignOn support >> in DAS Analytics Dashboard" this is not yet supported in DAS. The approach >> taken in analytics.jsg as you mentioned require a separate login screen as >> in [1]. IMHO, this is not a suitable method to secure a Jaggery based API. >> >> Regarding table names in SQL queries; this is not the best approach to >> design the API but these table names are escaped from request parameters >> [2] which would minimize the risk of a SQL injection attack. This is >> definitely a potential security issue as well as an API design issue we >> need to fix. But I think fixing this will need a major refactoring to the >> Jaggery files. wdyt? >> >> [1] >> https://github.com/wso2/carbon-dashboards/blob/master/apps/portal/theme/templates/login.jag >> [2] >> https://github.com/wso2/product-private-paas/blob/v4.1.0-rc1/extensions/das/artifacts/metering-dashboard/jaggery-files/member-info.jag#L26 >> >> Thanks. >> >> On Tue, Oct 20, 2015 at 8:38 PM, Imesh Gunaratne wrote: >> >>> Hi, >>> >>> It looks like there are two security issues in the APIs exposed by the >>> DAS metering and monitoring dashboards [1], [2]: >>> >>>- APIs have no authentication mechanism >>>- Table name is concatenated in the SQL queries >>> >>> We may need to add an authentication check similar to analytics.jag [3]: >>> >>> var authParam = request.getHeader(AUTHORIZATION_HEADER); >>> if (authParam != null) { >>> credentials = JSUtils.authenticate(authParam); >>> authenticationAdminStub = new >>> AuthenticationAdminStub(authenticationWSUrl); >>>
Re: [Dev] [VOTE] Release WSO2 Private PaaS 4.1.0 RC1
Hi Gayan, The code reference you pointed at [1] is used in a prepared SQL statement [2]. The risk of SQL injection attack is minimal in that case, AFAIU. [1] https://github.com/wso2/product-private-paas/blob/v4.1.0-rc1/extensions/das/artifacts/metering-dashboard/jaggery-files/member-info.jag#L49 [2] https://github.com/wso2/product-private-paas/blob/v4.1.0-rc1/extensions/das/artifacts/metering-dashboard/jaggery-files/member-info.jag#L53 Thanks. On Tue, Oct 20, 2015 at 11:33 PM, Akila Ravihansa Pererawrote: > Hi Imesh, > > Please see inline. > > On Tue, Oct 20, 2015 at 11:08 PM, Imesh Gunaratne wrote: > >> On Tue, Oct 20, 2015 at 10:25 PM, Akila Ravihansa Perera < >> raviha...@wso2.com> wrote: >>> >>> >>> I think the proper way to secure the Jaggery services is by using SSO. >>> >> >> I tend to disagree on this statement. SSO is used when authenticating a >> human to a series of software systems. An API should not use SSO for >> authentication rather it should use session based authentication either by >> creating session tokens or API Keys, refer this [3]. >> > > SSO can be used to authenticate the user who is accessing the > monitoring/metering dashboard, thereby authenticating him to the API as > well. We don't need to maintain a session token/cookie for this which is an > overhead for this scenario, IMO. > > >> >> >>> According to the thread on wso2dev@ with subject "SingleSignOn support >>> in DAS Analytics Dashboard" this is not yet supported in DAS. The approach >>> taken in analytics.jsg as you mentioned require a separate login screen as >>> in [1]. IMHO, this is not a suitable method to secure a Jaggery based API. >>> >>> No, have a look at the analytics.jag authentication logic. It first >> accepts an Authorization header and creates a session token. Authorization >> header can accept basic auth, see [4]. Afterwards corresponding calls are >> authenticated using authToken/JSESSIONID. >> > > If we are using basic auth, the user needs to submit the credentials via a > form, which is again an overhead. Any implementation of > authToken/JSESSIONID would require the user to submit credential at some > layer. What I'm suggesting is to authenticate the user via SSO to the DAS > dashboard, which would authenticate him to the API as well. I'm -1 on > developing a separate login screen for this. > > >> >> >>> Regarding table names in SQL queries; this is not the best approach to >>> design the API but these table names are escaped from request parameters >>> [2] which would minimize the risk of a SQL injection attack. This is >>> definitely a potential security issue as well as an API design issue we >>> need to fix. But I think fixing this will need a major refactoring to the >>> Jaggery files. wdyt? >>> >> >> No, we can simply fix this by creating an API per table/entity. >> > > This would not be manageable as we add entities in future I think. We can > handle this internally by not using the request parameter variable to > create the query. But rather choose the correct sql query conditionally > based on the request parameter. This would basically result in rewriting > all Jaggery files. > > Thanks. > > > >> >>> [1] >>> https://github.com/wso2/carbon-dashboards/blob/master/apps/portal/theme/templates/login.jag >>> [2] >>> https://github.com/wso2/product-private-paas/blob/v4.1.0-rc1/extensions/das/artifacts/metering-dashboard/jaggery-files/member-info.jag#L26 >>> >>> [3] https://www.owasp.org/index.php/REST_Security_Cheat_Sheet >> [4] >> https://github.com/wso2/carbon-analytics/blob/d7d4f7c31981eb6aff8921fefba7c030eb11a80a/components/analytics-io/org.wso2.carbon.analytics.jsservice/src/main/java/org/wso2/carbon/analytics/jsservice/Utils.java#L352 >> >> Thanks >> >> On Tue, Oct 20, 2015 at 10:25 PM, Akila Ravihansa Perera < >> raviha...@wso2.com> wrote: >> >>> Hi Imesh, >>> >>> I think the proper way to secure the Jaggery services is by using SSO. >>> According to the thread on wso2dev@ with subject "SingleSignOn support >>> in DAS Analytics Dashboard" this is not yet supported in DAS. The approach >>> taken in analytics.jsg as you mentioned require a separate login screen as >>> in [1]. IMHO, this is not a suitable method to secure a Jaggery based API. >>> >>> Regarding table names in SQL queries; this is not the best approach to >>> design the API but these table names are escaped from request parameters >>> [2] which would minimize the risk of a SQL injection attack. This is >>> definitely a potential security issue as well as an API design issue we >>> need to fix. But I think fixing this will need a major refactoring to the >>> Jaggery files. wdyt? >>> >>> [1] >>> https://github.com/wso2/carbon-dashboards/blob/master/apps/portal/theme/templates/login.jag >>> [2] >>> https://github.com/wso2/product-private-paas/blob/v4.1.0-rc1/extensions/das/artifacts/metering-dashboard/jaggery-files/member-info.jag#L26 >>> >>> Thanks. >>> >>> On Tue, Oct 20, 2015 at 8:38
Re: [Dev] [VOTE] Release WSO2 Private PaaS 4.1.0 RC1
Hi Imesh, Please see inline. Sorry to drag this, but I think it's better to clarify unclear areas :) SSO can be used to authenticate the user who is accessing the >> monitoring/metering dashboard, thereby authenticating him to the API as >> well. We don't need to maintain a session token/cookie for this which is an >> overhead for this scenario, IMO. >> >> > Yes that's true but in a such design any other external system will not be > able to to access the APIs using API Keys without having to integrate with > the same SSO solution. > I tend to disagree. Using a compatible Identity Provider (for eg: WSO2 IS) we can secure the API using multiple grant types. In this scenario API can be secured via SSO but not limited to that. > Imagine Twitter has exposed set of APIs using Twitter SSO solution. Now if > we were to consume those APIs in a X system. This X system needs to > integrate with Twitter SSO solution first. IMO this is not a good design, > ideally those APIs should be accessible with API Keys. This is how actually > Twitter has exposed their APIs. > >> >>> >> If we are using basic auth, the user needs to submit the credentials via >> a form, which is again an overhead. Any implementation of >> authToken/JSESSIONID would require the user to submit credential at some >> layer. What I'm suggesting is to authenticate the user via SSO to the DAS >> dashboard, which would authenticate him to the API as well. I'm -1 on >> developing a separate login screen for this. >> >> > May be this was not clear. We do not need a login page to make a request > to an API endpoint which is secured with Basic Auth. We can make a HTTP > call with an Authorization header having credentials (Base64 encoded) via > HTTPS. > If we are going to send the Authorization header then we need to get the credentials from the user first. I'm not clear how you plan to implement this without a login screen. How do you propose to create this header in client request? > >>> >> This would not be manageable as we add entities in future I think. We can >> handle this internally by not using the request parameter variable to >> create the query. But rather choose the correct sql query conditionally >> based on the request parameter. This would basically result in rewriting >> all Jaggery files. >> > > > Yes ideally it should be the context path (/api/member -> member table, > /api/cluster/health -> cluster health table, etc) > +1 > > Thanks > > On Tue, Oct 20, 2015 at 11:40 PM, Akila Ravihansa Perera < > raviha...@wso2.com> wrote: > >> Hi Gayan, >> >> The code reference you pointed at [1] is used in a prepared SQL statement >> [2]. The risk of SQL injection attack is minimal in that case, AFAIU. >> >> [1] >> https://github.com/wso2/product-private-paas/blob/v4.1.0-rc1/extensions/das/artifacts/metering-dashboard/jaggery-files/member-info.jag#L49 >> [2] >> https://github.com/wso2/product-private-paas/blob/v4.1.0-rc1/extensions/das/artifacts/metering-dashboard/jaggery-files/member-info.jag#L53 >> >> Thanks. >> >> On Tue, Oct 20, 2015 at 11:33 PM, Akila Ravihansa Perera < >> raviha...@wso2.com> wrote: >> >>> Hi Imesh, >>> >>> Please see inline. >>> >>> On Tue, Oct 20, 2015 at 11:08 PM, Imesh Gunaratne>>> wrote: >>> On Tue, Oct 20, 2015 at 10:25 PM, Akila Ravihansa Perera < raviha...@wso2.com> wrote: > > > I think the proper way to secure the Jaggery services is by using SSO. > I tend to disagree on this statement. SSO is used when authenticating a human to a series of software systems. An API should not use SSO for authentication rather it should use session based authentication either by creating session tokens or API Keys, refer this [3]. >>> >>> SSO can be used to authenticate the user who is accessing the >>> monitoring/metering dashboard, thereby authenticating him to the API as >>> well. We don't need to maintain a session token/cookie for this which is an >>> overhead for this scenario, IMO. >>> >>> > According to the thread on wso2dev@ with subject "SingleSignOn > support in DAS Analytics Dashboard" this is not yet supported in DAS. The > approach taken in analytics.jsg as you mentioned require a separate login > screen as in [1]. IMHO, this is not a suitable method to secure a Jaggery > based API. > > No, have a look at the analytics.jag authentication logic. It first accepts an Authorization header and creates a session token. Authorization header can accept basic auth, see [4]. Afterwards corresponding calls are authenticated using authToken/JSESSIONID. >>> >>> If we are using basic auth, the user needs to submit the credentials via >>> a form, which is again an overhead. Any implementation of >>> authToken/JSESSIONID would require the user to submit credential at some >>> layer. What I'm suggesting is to authenticate the user via SSO to the DAS >>> dashboard, which would authenticate him to the
Re: [Dev] [VOTE] Release WSO2 Private PaaS 4.1.0 RC1
Hi Imesh, I think the proper way to secure the Jaggery services is by using SSO. According to the thread on wso2dev@ with subject "SingleSignOn support in DAS Analytics Dashboard" this is not yet supported in DAS. The approach taken in analytics.jsg as you mentioned require a separate login screen as in [1]. IMHO, this is not a suitable method to secure a Jaggery based API. Regarding table names in SQL queries; this is not the best approach to design the API but these table names are escaped from request parameters [2] which would minimize the risk of a SQL injection attack. This is definitely a potential security issue as well as an API design issue we need to fix. But I think fixing this will need a major refactoring to the Jaggery files. wdyt? [1] https://github.com/wso2/carbon-dashboards/blob/master/apps/portal/theme/templates/login.jag [2] https://github.com/wso2/product-private-paas/blob/v4.1.0-rc1/extensions/das/artifacts/metering-dashboard/jaggery-files/member-info.jag#L26 Thanks. On Tue, Oct 20, 2015 at 8:38 PM, Imesh Gunaratnewrote: > Hi, > > It looks like there are two security issues in the APIs exposed by the DAS > metering and monitoring dashboards [1], [2]: > >- APIs have no authentication mechanism >- Table name is concatenated in the SQL queries > > We may need to add an authentication check similar to analytics.jag [3]: > > var authParam = request.getHeader(AUTHORIZATION_HEADER); > if (authParam != null) { > credentials = JSUtils.authenticate(authParam); > authenticationAdminStub = new > AuthenticationAdminStub(authenticationWSUrl); > authenticationAdminStub.login(credentials[0], credentials[1], > LOCALHOST); > var serviceContext = > authenticationAdminStub._getServiceClient().getLastOperationContext() > .getServiceContext(); > var sessionCookie = > serviceContext.getProperty(HTTPConstants.COOKIE_STRING); > options.setProperty(HTTPConstants.COOKIE_STRING, sessionCookie); > } else { > var token = session.get(AUTH_TOKEN); > if (token != null) { > options.setProperty(HTTPConstants.COOKIE_STRING, token); > } else { > log.error("user is not authenticated!"); > response.status = HTTP_USER_NOT_AUTHENTICATED; > print('{ "status": "Failed", "message": "User is not > authenticated." }'); > return; > } > } > > In addition we may need to avoid concatenating table names in SQL queries. > > [1] > https://github.com/wso2/product-private-paas/tree/v4.1.0-rc1/extensions/das/artifacts/metering-dashboard/jaggery-files > [2] > https://github.com/wso2/product-private-paas/tree/v4.1.0-rc1/extensions/das/artifacts/monitoring-dashboard/jaggery-files > [3] > https://github.com/wso2/carbon-dashboards/blob/master/apps/portal/controllers/apis/analytics.jag#L88 > > I think we may need to cancel this vote and do RC2 by fixing these > problems. > > Thanks > > On Tue, Oct 20, 2015 at 5:02 PM, Akila Ravihansa Perera < > raviha...@wso2.com> wrote: > >> Hi, >> >> This is the first release candidate of WSO2 Private PaaS 4.1.0. >> >> This release fixes the following issues: >> https://wso2.org/jira/issues/?filter=12464 >> >> Please download, test and vote. The vote will be open for 72 hours or as >> needed. >> >> *Source and binary distribution files:* >> https://svn.wso2.org/repos/wso2/scratch/PPAAS/wso2ppaas-4.1.0-rc1 >> >> *Maven staging repository:* >> http://maven.wso2.org/nexus/content/repositories/orgwso2ppaas-027/ >> >> *The tag to be voted upon:* >> https://github.com/wso2/product-private-paas/tree/v4.1.0-rc1 >> >> >> [ ] Broken - do not release (explain why) >> [ ] Stable - go ahead and release >> >> >> Thanks, >> The WSO2 Private PaaS Team >> >> ___ >> Dev mailing list >> Dev@wso2.org >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > *Imesh Gunaratne* > Senior Technical Lead > WSO2 Inc: http://wso2.com > T: +94 11 214 5345 M: +94 77 374 2057 > W: http://imesh.gunaratne.org > Lean . Enterprise . Middleware > > -- Akila Ravihansa Perera WSO2 Inc.; http://wso2.com/ Blog: http://ravihansa3000.blogspot.com ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [VOTE] Release WSO2 Private PaaS 4.1.0 RC1
Hi, It looks like there are two security issues in the APIs exposed by the DAS metering and monitoring dashboards [1], [2]: - APIs have no authentication mechanism - Table name is concatenated in the SQL queries We may need to add an authentication check similar to analytics.jag [3]: var authParam = request.getHeader(AUTHORIZATION_HEADER); if (authParam != null) { credentials = JSUtils.authenticate(authParam); authenticationAdminStub = new AuthenticationAdminStub(authenticationWSUrl); authenticationAdminStub.login(credentials[0], credentials[1], LOCALHOST); var serviceContext = authenticationAdminStub._getServiceClient().getLastOperationContext() .getServiceContext(); var sessionCookie = serviceContext.getProperty(HTTPConstants.COOKIE_STRING); options.setProperty(HTTPConstants.COOKIE_STRING, sessionCookie); } else { var token = session.get(AUTH_TOKEN); if (token != null) { options.setProperty(HTTPConstants.COOKIE_STRING, token); } else { log.error("user is not authenticated!"); response.status = HTTP_USER_NOT_AUTHENTICATED; print('{ "status": "Failed", "message": "User is not authenticated." }'); return; } } In addition we may need to avoid concatenating table names in SQL queries. [1] https://github.com/wso2/product-private-paas/tree/v4.1.0-rc1/extensions/das/artifacts/metering-dashboard/jaggery-files [2] https://github.com/wso2/product-private-paas/tree/v4.1.0-rc1/extensions/das/artifacts/monitoring-dashboard/jaggery-files [3] https://github.com/wso2/carbon-dashboards/blob/master/apps/portal/controllers/apis/analytics.jag#L88 I think we may need to cancel this vote and do RC2 by fixing these problems. Thanks On Tue, Oct 20, 2015 at 5:02 PM, Akila Ravihansa Pererawrote: > Hi, > > This is the first release candidate of WSO2 Private PaaS 4.1.0. > > This release fixes the following issues: > https://wso2.org/jira/issues/?filter=12464 > > Please download, test and vote. The vote will be open for 72 hours or as > needed. > > *Source and binary distribution files:* > https://svn.wso2.org/repos/wso2/scratch/PPAAS/wso2ppaas-4.1.0-rc1 > > *Maven staging repository:* > http://maven.wso2.org/nexus/content/repositories/orgwso2ppaas-027/ > > *The tag to be voted upon:* > https://github.com/wso2/product-private-paas/tree/v4.1.0-rc1 > > > [ ] Broken - do not release (explain why) > [ ] Stable - go ahead and release > > > Thanks, > The WSO2 Private PaaS Team > > ___ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- *Imesh Gunaratne* Senior Technical Lead WSO2 Inc: http://wso2.com T: +94 11 214 5345 M: +94 77 374 2057 W: http://imesh.gunaratne.org Lean . Enterprise . Middleware ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [VOTE] Release WSO2 Private PaaS 4.1.0 RC1
Please consider this vote as canceled. We have fixed above issues and done a new release build. We will trigger a new vote thread for 4.1.0-rc2 soon. Thanks On Wed, Oct 21, 2015 at 12:49 AM, Imesh Gunaratnewrote: > On Wed, Oct 21, 2015 at 12:22 AM, Akila Ravihansa Perera < > raviha...@wso2.com> wrote: > >> >> Please see inline. Sorry to drag this, but I think it's better to clarify >> unclear areas :) >> > > +1 > >> Yes that's true but in a such design any other external system will not >>> be able to to access the APIs using API Keys without having to integrate >>> with the same SSO solution. >>> >> >> I tend to disagree. Using a compatible Identity Provider (for eg: WSO2 >> IS) we can secure the API using multiple grant types. In this scenario API >> can be secured via SSO but not limited to that. >> >> AFAIU grant types and API keys are different. API keys can be > pre-generated for a particular user and used in a X system for accessing an > API (Example: EC2 access & secret keys). As long as X system has the API > keys it does not need to talk to an Identity Provider to obtain a token > based on a grant type. > >> >>> May be this was not clear. We do not need a login page to make a request >>> to an API endpoint which is secured with Basic Auth. We can make a HTTP >>> call with an Authorization header having credentials (Base64 encoded) via >>> HTTPS. >>> >> >> If we are going to send the Authorization header then we need to get the >> credentials from the user first. I'm not clear how you plan to implement >> this without a login screen. How do you propose to create this header in >> client request? >> >> > My concern is that when a system A is talking to a system B where system B > has a dashboard where it talks to its own API, system A does not need to > worry about the API call of system B. System A only needs a way to > authenticate to system B. System B should handle how it authenticate to its > own API. > > In an ideal situation we need to use SSO between system A and B assuming > that the enduser needs to access both systems as a part of a single > solution. However it does not mean that the API of system B should use the > same SSO system for authentication. IMO if the API of system B is generic > and needed by third party systems it should have a more user friendly > authentication system such as API Keys. > >> > > Thanks > > On Wed, Oct 21, 2015 at 12:22 AM, Akila Ravihansa Perera < > raviha...@wso2.com> wrote: > >> Hi Imesh, >> >> Please see inline. Sorry to drag this, but I think it's better to clarify >> unclear areas :) >> >> SSO can be used to authenticate the user who is accessing the monitoring/metering dashboard, thereby authenticating him to the API as well. We don't need to maintain a session token/cookie for this which is an overhead for this scenario, IMO. >>> Yes that's true but in a such design any other external system will not >>> be able to to access the APIs using API Keys without having to integrate >>> with the same SSO solution. >>> >> >> I tend to disagree. Using a compatible Identity Provider (for eg: WSO2 >> IS) we can secure the API using multiple grant types. In this scenario API >> can be secured via SSO but not limited to that. >> >> >>> Imagine Twitter has exposed set of APIs using Twitter SSO solution. Now >>> if we were to consume those APIs in a X system. This X system needs to >>> integrate with Twitter SSO solution first. IMO this is not a good design, >>> ideally those APIs should be accessible with API Keys. This is how actually >>> Twitter has exposed their APIs. >>> > If we are using basic auth, the user needs to submit the credentials via a form, which is again an overhead. Any implementation of authToken/JSESSIONID would require the user to submit credential at some layer. What I'm suggesting is to authenticate the user via SSO to the DAS dashboard, which would authenticate him to the API as well. I'm -1 on developing a separate login screen for this. >>> May be this was not clear. We do not need a login page to make a request >>> to an API endpoint which is secured with Basic Auth. We can make a HTTP >>> call with an Authorization header having credentials (Base64 encoded) via >>> HTTPS. >>> >> >> If we are going to send the Authorization header then we need to get the >> credentials from the user first. I'm not clear how you plan to implement >> this without a login screen. How do you propose to create this header in >> client request? >> >> >>> > This would not be manageable as we add entities in future I think. We can handle this internally by not using the request parameter variable to create the query. But rather choose the correct sql query conditionally based on the request parameter. This would basically result in rewriting all Jaggery files. >>> >> >> >>> >>> Yes ideally it should be the context