Defect Metrics

Statistics on the results
Ranking
Defect Report
Classification
Defect Report
  • 16 Defects:
  • 6 major defects, and
  • 10 other defects
  • from 1014 comments

Search Criteria

Search for comments

Search Criteria

Project
Comment content
Review PermaId
After
Before
Comment Author
Search Type
Search Type:
Review State
Review State:
Metrics:
Metric Ranking
Metric Classification
Submit

Crucible - Comment Search

  •  

Comment Results

Review Name Created Custom Fields Content
CR-8 26 Apr 2010

Issue 4909 was due to a security concern - reverting the change means reintroducing the security concern (session ID reuse). If the code doesn't work then it's a string reason to change something, but we shouldn't leave this hanging.

Do you either disagree with the original security concern, or have a proposal for a different way to handle this concern?
CR-8 26 Apr 2010

A bit more detail on this:

"Session fixation attacks are possible on a shared desktop where a attacker
pregenerates an INVALID session and then tricks a valid user to authenticate.
As a result both the attacker and the valid user have a valid session.
Automated vulnerability testers like WhiteHat flag this issue as a security hole."

An alternate fix was proposed at the same time:

"b) Use hidden fields to maintain pre-authn state - instead of a invalid session
on the server."

PS: There should be a JIRA issue linked to this, right?

CR-5 26 Apr 2010

The same problem may be present in other code. A brief search for "Logger.getLogger" gave a lot of hits - OPENAM-72 has been created for this purpose.
CR-5 26 Apr 2010

Please assign me to issue OPENAM-72, and I will fix them too.
CR-5 26 Apr 2010

This actually is not fixing the problem, just causes more trouble. If you check the context then you can see, that the loggerExists is depending on the getLoggerNames method, which returns the names for non-existing references as well. The attached new patch will really solve this...
CR-8 27 Apr 2010

We believe the original security attack is false.

"shared desktop where a attacker pregenerates an INVALID session and then tricks a valid user to authenticate. "

You cannot pregenerate an INVALID session, you can generate a OpenAM session that's state is invalid. Typically you will have 120 seconds to do the following:

a) The attacker accesses the Auth UI
b) The attacker captures the SSOTokenID by writing down the SSOTokenID
c) The attacker then finds someone to login within the amount of time left who failed to see this from happening.

We just don't see this as a realistic attack vector and the fix was to break the original OpenAM architecture.
CR-5 27 Apr 2010

if the lm.getLogger() returns Null, it means the logger has been thrown away. If we recreate the logger, does the lm.addLogger() in line 461 handle the case that it is already in the lm, and update the reference?
CR-5 27 Apr 2010

The java.util.logging.LogManager#getLogger checks whether the weak referenced object is null, and if it is, then it removes from the loggers Hashtable, so when the execution is on line 461, then the whole thing will work as there was never such named Logger at all.
CR-8 27 Apr 2010

I cannot find a way of selectively changing the permissions for this review.
As I want to discuss a possible security flaw in detail then I'll continue this by email.
CR-8 27 Apr 2010

Decision reached: review complete, OPENAM-75 created.
CR-15 03 May 2010

OPENAM-70
CR-14 03 May 2010

OPENAM-57
CR-13 03 May 2010

OPENAM-54 and OPENAM-78
CR-12 03 May 2010

OPENAM-54
CR-11 03 May 2010

OPENAM-51
CR-10 03 May 2010

OPENAM-51 and OPENAM-78
CR-7 03 May 2010

OPENAM-40
CR-6 05 May 2010

This review is empty - I think one of your test reviews that can be deleted?
CR-10 05 May 2010

I linked this to the CR-13 review as the same changeset seems to apply to both issues/reviews
CR-10 05 May 2010

finalURL cannot be "" at this point, ref block in lines 546-549 of the changed version 

                if(finalURL == null || finalURL.equals("")) {
                   showError(response,"GOTO or TARGET parameter is missing"
                       +" in the request");
                   return;
                }
CR-10 05 May 2010

We are making it illegal to include any parameters in the loginURI parameter then since we append a question mark
I.e.: you cannot specify loginURI=%2fUI%2fLogin%3fservice%3dMyChain

Is there any other way to specify service, module, realm etc? And do we need this?
CR-11 05 May 2010

As for the CDCClientServlet, how can we specify service, realm, method etc? I realise this was not possible before either so perhaps best left to a separate issue?
CR-12 06 May 2010

I'm not keen on returning multiple values in an array with magic indices, but it's a private method and I can see why splitting into two methods or using an inner class would be cumbersome. So probably the best solution given the situation.

CR-13 06 May 2010

Crucible has gone wierd on me and is not showing any code changes.
From what I could see then this looks fine
CR-14 06 May 2010

I can't see what has changed - the issue doesn't seem to be linked to a commit/changeset/patch file.
CR-15 06 May 2010

I have successfully used this property before on the main server. I don't see it in the JIRA description but from the commit, I am assuming that the core functionality has not been broken and that it is only a DistUI issue.
CR-10 06 May 2010

The functionality is not required from this integration. The policy advice params for the auth UI are preserved in the request.
CR-10 06 May 2010

yes this was wrong, it should be loginURI rather than finalURL
CR-11 06 May 2010

Not originally part of the RFE, but the policy advice list should contain these parameters
CR-12 06 May 2010

Yes a complex type would of been more cumbersome.
CR-14 06 May 2010

http://sources.forgerock.org/viewrep/openam/trunk/opensso/products/federation/openfm/source/com/iplanet/services/cdc/client/CDCClientServlet.java?r1=42&r2=45

This shows the fixed code.
CR-15 06 May 2010

Yes, this was a problem only on the DAS
CR-14 06 May 2010

Thanks, looks fine
CR-17 08 May 2010

I read this method name first as the method that will return the same DN regardless of the original case, i.e. changing it if necessary.
Perhaps "normalizeDNMaintainingCase" is more descriptive?
CR-19 08 May 2010

I would delete this comment and let subversion take care of the history
CR-19 08 May 2010

Logout
CR-36 17 May 2010

Copyright message appears twice
CR-36 17 May 2010

Looks good to me, just one question I am not sure what happens with the "bindings" ?
CR-45 04 Jun 2010

Maybe this try-catch should be moved to a separate method, since this always does the same thing.
CR-45 04 Jun 2010

This patch looks great, but I don't seem to see any logic, that resets the retryRunLogin boolean (so maybe this is only doable once or will there be a new AuthContext for the new retry?)
CR-46 04 Jun 2010

Looks fine to me.
CR-46 04 Jun 2010

Looks fine to me too
CR-47 05 Jun 2010

If the previous section throwed an exception, then ldc is still null, so this try-catch could throw NPE, right?
CR-47 05 Jun 2010

Well in general this solution is better, then the original was, but this solution does not care with sites and servers, so if the next in the list is on the other site, it would connect to it, even if later in the list there is a server from the same site. (??)
CR-7 07 Jun 2010

Looks good to me.
CR-8 07 Jun 2010

If this commit stays in trunk, then it is really critical to fix OPENAM-89 for the next release.
CR-45 07 Jun 2010

I didn't think it was much code, its the last chance to get an admin token
CR-45 07 Jun 2010

okay, I'm just saying, you wrote the very same code 3 times in a single patch. I'm thinking something like:
private SSOToken getAdminToken() {
SSOToken adminToken = null;
try {
adminToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
} catch (AMSecurityPropertiesException aspe) {
if (authDebug.errorEnabled()) {
authDebug.error("AuthContext::getAdminToken: unable to get app ssotoken " + aspe.getMessage); //maybe attaching stacktrace too
}
}
return adminToken;
}

but if it's only used here, then maybe it's not necessary at all.
CR-45 07 Jun 2010

retryRunLogin is set to true initially and then in the catch it gets set to false so the recursive call should only happen once. I was trying to avoid having the invalid app sso token being thrown to the client whilst keeping the impact to the existing code to a minimium
CR-45 07 Jun 2010

the question was more about, if it's setted only once true, then what happens in the following situation?

  • openam container stops
  • openam container starts, and the clientsdk protected app gets a new token and retryRunLogin is now false
  • openam container stops
  • openam container starts, -> is the retryRunLogin still false, or will there be a new AuthContext instance (so the retryRunLogin is true again)?