-
Type:
Bug
-
Status: Done
-
Resolution: Done
-
Affects Version/s: 5.5.2, 6.3.2
-
Fix Version/s: None
-
Component/s: Security
-
Labels:None
-
Severity:High
-
Regression:Yes
Summary:
On the condition that Anonymous mode and HTTP SSO are used - requests can get a wrongly denied authentication (401) on the condition that an anonymous request arrives (from the same IP) before a request that is supposed to be authenticated by the HTTP SSO filter in Artifactory.
More detail:
When using HTTP SSO and anonymous mode is enabled, non-cookie-cached (a cookie will holds the authentication period) requests will result with 401 if an anonymous request was sent before.
This is happening since there is no consideration for the configured HTTP SSO authentication header, e.g. REMOTE_USER as part of the HTTP SSO filter authentication flow.
Instead the Authorization header is mistakenly used when there is a cached UI authentication already for previously made anonymous authenticated request.
Workarounds:
1. Disable anonymous mode (if that is acceptable for the environment)
2. Decrease the artifactory.security.authentication.cache.idleTimeSecs from the default 5 minutes to a lower value
Steps to reproduce:
With curl:
1. Make sure that:
You don't have any caching of previous authenticated requests by the HTTP SSO filter (you can also decrease the internal cache expiry time from the default security.authentication.cache.idleTimeSecs - which is 5 min by default). - restart Artifactory if needed to clean the cache faster
2. curl -H "REMOTE_USER: admin" -I http://localhost:8081/artifactory/ui/generalConfig
HTTP/1.1 200 OK
3. curl -I http://localhost:8081/artifactory/ui/generalConfig
HTTP/1.1 401 Unauthorized
^^^ Expected as this requires admin auth
4. curl -H "REMOTE_USER: admin" -I http://localhost:8081/artifactory/ui/generalConfig
HTTP/1.1 401 Unauthorized
^^^ Unexpected as the correct creds are sent
With a web browser:
- You can use a browser addon for sending headers to produce this or a reverse proxy that forwards the HTTP SSO header.
1. Make sure that:
a. You don't have any caching of previous authenticated requests by the HTTP SSO filter (you can also decrease the internal cache expiry time from the default security.authentication.cache.idleTimeSecs - which is 5 min by default).
- restart Artifactory if needed to clean the cache faster
b. There is no SESSION cookie for your browser session
2. Use your web browser to access with anonymous user first:
http://artifactory_url/artifactory/ui/generalConfig
3. Now try to access the same URL again with your HTTP SSO header (should be authenticated):
http://artifactory_url/artifactory/ui/generalConfig
The request will result with a 401
- relates to
-
RTFACT-14519 Potential memory leak when HTTP SSO is configured
- Done