Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-17456

HTTP SSO filter uses wrong header, causes post anonymous requests to result with 401

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done
    • Resolution: Done
    • Affects Version/s: 5.5.2, 6.3.2
    • Fix Version/s: 7.5.0
    • Component/s: Security
    • Labels:
      None
    • Severity:
      High
    • Regression:
      Yes

      Description

      Summary:

      On the condition that Anonymous mode and HTTP SSO are used - requests can get a wrongly denied authentication (401) on the condition that an anonymous request arrives (from the same IP) before a request that is supposed to be authenticated by the HTTP SSO filter in Artifactory.

      More detail:

      When using HTTP SSO and anonymous mode is enabled, non-cookie-cached (a cookie will holds the authentication period) requests will result with 401 if an anonymous request was sent before.

      This is happening since there is no consideration for the configured HTTP SSO authentication header, e.g. REMOTE_USER as part of the HTTP SSO filter authentication flow.

      Instead the Authorization header is mistakenly used when there is a cached UI authentication already for previously made anonymous authenticated request.

      Workarounds:

      1. Disable anonymous mode (if that is acceptable for the environment)
      2. Decrease the artifactory.security.authentication.cache.idleTimeSecs from the default 5 minutes to a lower value

      Steps to reproduce:

      With curl:

      1. Make sure that:

      You don't have any caching of previous authenticated requests by the HTTP SSO filter (you can also decrease the internal cache expiry time from the default security.authentication.cache.idleTimeSecs - which is 5 min by default). - restart Artifactory if needed to clean the cache faster

      2. curl -H "REMOTE_USER: admin" -I http://localhost:8081/artifactory/ui/generalConfig

      HTTP/1.1 200 OK

      3. curl -I http://localhost:8081/artifactory/ui/generalConfig

      HTTP/1.1 401 Unauthorized

      ^^^ Expected as this requires admin auth

      4. curl -H "REMOTE_USER: admin" -I http://localhost:8081/artifactory/ui/generalConfig

      HTTP/1.1 401 Unauthorized

      ^^^ Unexpected as the correct creds are sent

      With a web browser:

      • You can use a browser addon for sending headers to produce this or a reverse proxy that forwards the HTTP SSO header.

      1. Make sure that:

      a. You don't have any caching of previous authenticated requests by the HTTP SSO filter (you can also decrease the internal cache expiry time from the default security.authentication.cache.idleTimeSecs - which is 5 min by default).

      • restart Artifactory if needed to clean the cache faster

      b. There is no SESSION cookie for your browser session

      2. Use your web browser to access with anonymous user first:

      http://artifactory_url/artifactory/ui/generalConfig

      3. Now try to access the same URL again with your HTTP SSO header (should be authenticated):

      http://artifactory_url/artifactory/ui/generalConfig

      The request will result with a 401

        Attachments

          Issue Links

            Activity

                People

                Assignee:
                barakh Barak Hacham
                Reporter:
                andreik Andrei Komarov
                Votes:
                2 Vote for this issue
                Watchers:
                7 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved: