jackrabbit-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Felix Meschberger (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (JCR-2919) Security of token base authentication
Date Fri, 23 Sep 2011 12:58:27 GMT

    [ https://issues.apache.org/jira/browse/JCR-2919?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13113396#comment-13113396

Felix Meschberger commented on JCR-2919:

> System.getProperty(NodeIdFactory.SEQUENTIAL_NODE_ID)

Are you kidding ? Are we really configuring this through system properties ?

> Security of token base authentication
> -------------------------------------
>                 Key: JCR-2919
>                 URL: https://issues.apache.org/jira/browse/JCR-2919
>             Project: Jackrabbit Content Repository
>          Issue Type: Bug
>          Components: jackrabbit-core, security
>    Affects Versions: 2.3.0
>            Reporter: Michael Dürig
>            Assignee: angela
>             Fix For: 2.3.0
> Token based authentication as implemented with JCR-2851 seems to exhibit a security issue:
the token returned by the server consists of the identifier of a (newly created) node in the
repository. An attacker who is able to guess (or acquire by other means i.e. via log files)
that identifier will be granted access to the repository. Worse yet, JCR-2857 introduces sequential
node ids. Guessing is a piece of cake in such a setup.
> I think we should decouple authentication secrets from node ids. A simple solution would
be to store the secret in a token attribute and delegate generation of the secret to a dedicated
handler. Such a handler can then use a secure random generator, private/public key encryption
or whatever other method that is deemed appropriate to generate the authentication secret.

> Initial discussion see: http://markmail.org/thread/aspetgvmj2qud25a

This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira


View raw message