Uploaded image for project: 'Crowd Data Center'
  1. Crowd Data Center
  2. CWD-2974

'User-Agent' not taken into account by Crowd when validating SSO token with the REST API

    XMLWordPrintable

Details

    • Bug
    • Resolution: Won't Fix
    • High
    • None
    • 2.5.1
    • SSO
    • None

    Description

      When generating an SSO token, Crowd should hash both the Remote Address and the User Agent but it seems that Crowd 2.5.1 isn't using the User-Agent for authentication when generating an SSO token using the REST API.

      If one requests an SSO token using 'Firefox' as the User Agent and then tries to validate the returned SSO token with 'IE' as the User Agent, Crowd does not return any error. Examples of the two HTTP requests can be seen below:

      First request : Ask Crowd to create an SSO token:

       
POST /crowd/rest/usermanagement/latest/session HTTP/1.1
Content-Type: application/xml

<?xml version="1.0" encoding="UTF-8"?>
<authentication-context>
  <username>homer</username>
  <password>password</password>
  <validation-factors>
    <validation-factor>
      <name>User-Agent</name>
      <value>Firefox</value>
    </validation-factor>
  </validation-factors>
</authentication-context>

      Crowd returns:

      HTTP/1.1 201 Created
Server: Apache-Coyote/1.1
X-Embedded-Crowd-Version: Crowd/2.5.1
X-Crowd-User-Management-Version: 1.2
Set-Cookie: JSESSIONID=EE9AA13C6188234A64CB1216E53D8AFD; Path=/crowd
Cache-Control: no-cache, no-store, no-transform
Location: http://localhost:8095/crowd/rest/usermanagement/latest/session/kyHw09WHXxSFHSrStseQgQ00
Content-Type: application/xml
Content-Length: 366
Date: Fri, 09 Nov 2012 16:05:24 GMT
Connection: close

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><session expand="user"><token>kyHw09WHXxSFHSrStseQgQ00</token><user name="homer"><link rel="self" href="http://localhost:8095/crowd/rest/usermanagement/latest/user?username=homer"/></user><link rel="self" href="http://localhost:8095/crowd/rest/usermanagement/latest/session/kyHw09WHXxSFHSrStseQgQ00"/></session>

      Second Request : Ask Crowd to validate this token but pass a different User-Agent:

      POST /crowd/rest/usermanagement/latest/session/kyHw09WHXxSFHSrStseQgQ00 HTTP/1.1
Content-Type: application/xml

<?xml version="1.0" encoding="UTF-8"?>
<validation-factors>
  <validation-factor>
    <name>User-Agent</name>
    <value>ie</value>
  </validation-factor>
</validation-factors>

      Crowd accepts the token, (despite the incorrect User Agent), which suggests that this is a serious security issue as it is no longer hashing the User Agent:

      HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Embedded-Crowd-Version: Crowd/2.5.1
X-Crowd-User-Management-Version: 1.2
Set-Cookie: JSESSIONID=ECF61E962CD3F857ED2E0DFAC6041961; Path=/crowd
Cache-Control: no-cache, no-store, no-transform
Content-Type: application/xml
Content-Length: 366
Date: Fri, 09 Nov 2012 16:06:02 GMT
Connection: close

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><session expand="user"><token>kyHw09WHXxSFHSrStseQgQ00</token><user name="homer"><link rel="self" href="http://localhost:8095/crowd/rest/usermanagement/latest/user?username=homer"/></user><link rel="self" href="http://localhost:8095/crowd/rest/usermanagement/latest/session/kyHw09WHXxSFHSrStseQgQ00"/></session>

      Attachments

        Issue Links

          derived from

          Suggestion - CWD-1827 IE8 can present an IE7 User-Agent string causing users to appear logged out

          • Closed
          is related to

          PAN-253 Loading...

          Activity

            People

              dberrueta Diego Berrueta
              jinder John Inder [Atlassian] (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: