Project

General

Profile

Actions
Copy link

Task #2392

closed

Enhance logging and improve security of validation in SSO authentication filter

Added by Petr Fišer over 4 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Peter Štrunc
Target version:
2.5.0
Start date:
07/15/2020
Due date:
% Done:

100%

Estimated time:
Owner:

Description

The ExtrasSsoIdmAuthenticationFilter.java has issues with validation and logging.
  • In authorize method there is:
    ...
if (Strings.isNullOrEmpty(token)) {
    return true;
}
..

    Which means that if token is null or empty, the authorize method returns true and authorizes the user with god-knows-what privileges. Better have a defensive approach and return false there.
    Fortunately, if the token in empty/null, the authorize should not even get called from the core. So maybe this piece of code is useless here and may be deleted?
  • The class has no useful logging at all. We should fix this to be able to check the flow. It would be handy to have DEBUG logging and to add even some INFO logging, to at least know the filter gets called.
Actions
Copy link

Also available in: Atom PDF