Uploaded image for project: 'Shindig'
  1. Shindig
  2. SHINDIG-1361

UrlParameterAuthenticationHandler uses the wrong URI parameter as a security token

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 2.0.0-RC2
    • Java
    • None

    Description

      The UrlParameterAuthenticationHandler contains the following lines:

      // OAuth token as a param
      if (token == null && request.isSecure())

      { token = request.getParameter(OAUTH2_TOKEN_PARAM); }

      We are using an AuthenticationHandler that manages the shindig specific authentication token and another one that manages oauth. If no shindig token (st=...) parameter is present, the shindig specific AuthenticationHandler should not be used. That works fine, as long as the request goes through http.

      Now, with an oauth request using https, this AuthenticationHandler suddenly kicks in and tries to decode the oauth token (which has nothing to do with our secure token) as a secure token and the AuthenticationHandler then reports an invalid or tampered filter.

      This might be a case of "the oauth filter should run before the shindig specific filter", but I think that these three lines should not be in the UrlParameterAuthenticationHandler, because they try to mix up two seperate things.

      Attachments

        Activity

          People

            Unassigned Unassigned
            henning Henning Schmiedehausen
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: