cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Glen Mazza (JIRA)" <j...@apache.org>
Subject [jira] Commented: (CXF-2873) Add authentication support (via HTTP basic authentication)
Date Sun, 04 Jul 2010 22:10:49 GMT

    [ https://issues.apache.org/jira/browse/CXF-2873?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12885083#action_12885083
] 

Glen Mazza commented on CXF-2873:
---------------------------------

Well these SOAP requests and responses viewable from the logs can contain incredibly sensitive
information, especially username and password if UsernameToken plaintext passwords are being
used over SSL for the SOAP requests.    Or the sensitive data within the SOAP body.  So we
should be careful in dismissing this as "just would like to view logs".

Also, it is important for the integrity of the CXF project, even if it inconveniences developers
working with it, not to allow itself to be used in a way that can expose sensitive data if
the developers working with it are not particularly careful or rigorous.  So if Lazy Sloppy
Developer using CXF wants to implement this log viewer using basic auth over plain HTTP, *no*,
CXF should not allow itself to be used that way.  (It is similar to the Metro project programmatically
not allowing plaintext UsernameToken over plain HTTP even if Lazy Sloppy Developer wants it
that way--it serves as a form of protection of the users of Lazy Sloppy Developer's system.)

CXF--and I suspect, Metro--hasn't yet been able to develop a proper nonce caching mechanism
for UsernameToken with hashed passwords for regular SOAP requests and responses, so we can't
expect Tomasz all of a sudden to do this for us.  I think this would be sidetracking his project
even if he could pull it off sufficiently rigorously.

Requiring SSL for the log viewer if you're using Basic Auth is very simple[1] nowadays (that
Dec. 2003 article you linked to implying otherwise does not hold so much today--it was meant
for Apache Web Server in 2003, not Tomcat in 2010), so I think that is what Tomasz should
go with, i.e., disallow Basic Auth over port 80(*), and then continue on with his work.  Afterwards,
if he has the time and desire he can implement Digest Access authentication (certainly educational,
as he would have to develop a nonce caching system) -- that would allow for use of port 80
in a secure fashion.  Alternatively I guess he could do UsernameToken w/noncing, but nowadays
I think that is just for SOAP requests and responses.

[1] http://www.jroller.com/gmazza/entry/setting_up_ssl_and_basic

(*) Can he do this--require his log viewer to be using SSL, or would that still be left to
the prerogative of the CXF User?  It may be sufficient for the web.xml that will come along
with his viewer to explicitly state the SSL requirement, as I've shown in [1] above, and leave
it to Lazy Sloppy Developer to remove that requirement if he unfortunately chooses.

> Add authentication support (via HTTP basic authentication)
> ----------------------------------------------------------
>
>                 Key: CXF-2873
>                 URL: https://issues.apache.org/jira/browse/CXF-2873
>             Project: CXF
>          Issue Type: Sub-task
>            Reporter: Tomasz Oponowicz
>


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message