You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@isis.apache.org by Christopher Fairhall <Ch...@msd.govt.nz> on 2014/09/08 05:27:02 UTC
Authorisation not working in Isis 1.3
We've got an Isis application that has failed a security review.
The security provider is Shiro. The UI is Wicket.
When a user with an admin role logs in, they get access to functionality not available to standard users.
However, if a standard user types in the URL to one of the admin pages, they get access to it.
It appears the permissions are only checked when rendering the menus and not when executing the action.
Essentially any authenticated user can bypass authorisation.
The permissions are correctly checked when accessing the services through the Restful interface.
Is this a known issue? I did not see anything in the 1.4, 1.5 or 1.6 release notes that would cover it either.
-------------------------------
This email and any attachments may contain information that is confidential and subject to legal privilege. If you are not the intended recipient, any use, dissemination, distribution or duplication of this email and attachments is prohibited. If you have received this email in error please notify the author immediately and erase all copies of the email and attachments. The Ministry of Social Development accepts no responsibility for changes made to this message or attachments after transmission from the Ministry.
-------------------------------
Re: Authorisation not working in Isis 1.3
Posted by Dan Haywood <da...@haywood-associates.co.uk>.
ISIS-883 and ISIS-884 now fixed in 1.7.0-SNAPSHOT; please see comments for
ISIS-883 [1] and commit message for ISIS-884 [2]
[1]
https://issues.apache.org/jira/browse/ISIS-883?focusedCommentId=14131180&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14131180
[2]
https://issues.apache.org/jira/browse/ISIS-884?focusedCommentId=14130042&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14130042
On 10 September 2014 15:47, Dan Haywood <da...@haywood-associates.co.uk>
wrote:
> OK, thanks Christopher.
>
> I've raised a ticket for this [1] (and one also for the other thread [2]).
>
> Please add to if there's anything missing/extra useful info.
>
> Dan
>
> [1] https://issues.apache.org/jira/browse/ISIS-883
> [2] https://issues.apache.org/jira/browse/ISIS-884
>
>
> On 9 September 2014 22:11, Christopher Fairhall <
> Christopher.Fairhall003@msd.govt.nz> wrote:
>
>> On Tuesday, 9 September 2014 8:07 p.m. Dan Haywood <
>> dan@haywood-associates.co.uk> wrote:
>>
>> > A minor point (not that this negates the fact that a fix is needed to
>> Isis)... only query-only actions,
>> > ie those that are declared to have no side-effects using
>> @ActionSemantics(Of.SAFE actions,
>> > are bookmarkable. So if you have a bookmarked action that is creating
>> objects, then you ought
>> > to adjust its action semantics. In your particular case this might be
>> a workaround to the security
>> > risk that's been flagged.
>>
>> We haven’t used @ActionSemantics(Of.SAFE) on the create methods, only the
>> query methods.
>> I believe the default is Of.NON_IDEMPOTENT
>>
>> It's not the invocation that's being accessed by the bookmarkable URL,
>> it's the form to enter the parameters.
>> Clicking the "OK" button on that form invokes the method.
>> The actual URL that causes the method invocation is
>> POST
>> http://localhost:7001/rma/wicket/wicket/page?1-1.IFormSubmitListener-action-parameters-inputForm
>> with a standard x-www-form-urlencoded post body.
>>
>> On 8 September 2014 21:32, Christopher Fairhall <
>> Christopher.Fairhall003@msd.govt.nz> wrote:
>>
>> > On Monday, 8 September 2014 6:44 p.m. Dan Haywood <
>> > dan@haywood-associates.co.uk> wrote:
>> >
>> > >
>> > > Is the URL for an entity? Or the URL for a (query) action?
>> >
>> > I'm talking about bookmarkable URL's in the format
>> > http://localhost:7001/rma/wicket/wicket/bookmarkable/<Page class
>> > name>?pageType=ACTION&actionSingleResultsMode=REDIRECT&objectOid=<clas
>> > name>s :1&actionType=USER&actionOwningSpec=<class
>> > name>name>&actionId=<method
>> > description>&pageTitle=<page title>&actionMode=PARAMETERS
>> >
>> > It allows the execution of the method.
>> >
>> > Calling via the restfulobjects API
>> > /resultful/services/<serviceName>/actions/<methodName>/invoke
>> > Fails with a 404 as expected when logging in with a user that has no
>> > access.
>> >
>> >
>> >
>> > > If the URL you are pasting in is for a query action, and it is
>> > > firing,
>> > then you have indeed found an issue.
>> >
>> > Our security tester managed to call a method that created new entities.
>> >
>> > -------------------------------
>> > This email and any attachments may contain information that is
>> > confidential and subject to legal privilege. If you are not the
>> > intended recipient, any use, dissemination, distribution or
>> > duplication of this email and attachments is prohibited. If you have
>> > received this email in error please notify the author immediately and
>> > erase all copies of the email and attachments. The Ministry of Social
>> > Development accepts no responsibility for changes made to this message
>> > or attachments after transmission from the Ministry.
>> >
>> > -------------------------------
>> >
>>
>> -------------------------------
>> This email and any attachments may contain information that is
>> confidential and subject to legal privilege. If you are not the intended
>> recipient, any use, dissemination, distribution or duplication of this
>> email and attachments is prohibited. If you have received this email in
>> error please notify the author immediately and erase all copies of the
>> email and attachments. The Ministry of Social Development accepts no
>> responsibility for changes made to this message or attachments after
>> transmission from the Ministry.
>>
>> -------------------------------
>>
>
>
Re: Authorisation not working in Isis 1.3
Posted by Dan Haywood <da...@haywood-associates.co.uk>.
OK, thanks Christopher.
I've raised a ticket for this [1] (and one also for the other thread [2]).
Please add to if there's anything missing/extra useful info.
Dan
[1] https://issues.apache.org/jira/browse/ISIS-883
[2] https://issues.apache.org/jira/browse/ISIS-884
On 9 September 2014 22:11, Christopher Fairhall <
Christopher.Fairhall003@msd.govt.nz> wrote:
> On Tuesday, 9 September 2014 8:07 p.m. Dan Haywood <
> dan@haywood-associates.co.uk> wrote:
>
> > A minor point (not that this negates the fact that a fix is needed to
> Isis)... only query-only actions,
> > ie those that are declared to have no side-effects using
> @ActionSemantics(Of.SAFE actions,
> > are bookmarkable. So if you have a bookmarked action that is creating
> objects, then you ought
> > to adjust its action semantics. In your particular case this might be a
> workaround to the security
> > risk that's been flagged.
>
> We haven’t used @ActionSemantics(Of.SAFE) on the create methods, only the
> query methods.
> I believe the default is Of.NON_IDEMPOTENT
>
> It's not the invocation that's being accessed by the bookmarkable URL,
> it's the form to enter the parameters.
> Clicking the "OK" button on that form invokes the method.
> The actual URL that causes the method invocation is
> POST
> http://localhost:7001/rma/wicket/wicket/page?1-1.IFormSubmitListener-action-parameters-inputForm
> with a standard x-www-form-urlencoded post body.
>
> On 8 September 2014 21:32, Christopher Fairhall <
> Christopher.Fairhall003@msd.govt.nz> wrote:
>
> > On Monday, 8 September 2014 6:44 p.m. Dan Haywood <
> > dan@haywood-associates.co.uk> wrote:
> >
> > >
> > > Is the URL for an entity? Or the URL for a (query) action?
> >
> > I'm talking about bookmarkable URL's in the format
> > http://localhost:7001/rma/wicket/wicket/bookmarkable/<Page class
> > name>?pageType=ACTION&actionSingleResultsMode=REDIRECT&objectOid=<clas
> > name>s :1&actionType=USER&actionOwningSpec=<class
> > name>name>&actionId=<method
> > description>&pageTitle=<page title>&actionMode=PARAMETERS
> >
> > It allows the execution of the method.
> >
> > Calling via the restfulobjects API
> > /resultful/services/<serviceName>/actions/<methodName>/invoke
> > Fails with a 404 as expected when logging in with a user that has no
> > access.
> >
> >
> >
> > > If the URL you are pasting in is for a query action, and it is
> > > firing,
> > then you have indeed found an issue.
> >
> > Our security tester managed to call a method that created new entities.
> >
> > -------------------------------
> > This email and any attachments may contain information that is
> > confidential and subject to legal privilege. If you are not the
> > intended recipient, any use, dissemination, distribution or
> > duplication of this email and attachments is prohibited. If you have
> > received this email in error please notify the author immediately and
> > erase all copies of the email and attachments. The Ministry of Social
> > Development accepts no responsibility for changes made to this message
> > or attachments after transmission from the Ministry.
> >
> > -------------------------------
> >
>
> -------------------------------
> This email and any attachments may contain information that is
> confidential and subject to legal privilege. If you are not the intended
> recipient, any use, dissemination, distribution or duplication of this
> email and attachments is prohibited. If you have received this email in
> error please notify the author immediately and erase all copies of the
> email and attachments. The Ministry of Social Development accepts no
> responsibility for changes made to this message or attachments after
> transmission from the Ministry.
>
> -------------------------------
>
RE: Authorisation not working in Isis 1.3
Posted by Christopher Fairhall <Ch...@msd.govt.nz>.
On Tuesday, 9 September 2014 8:07 p.m. Dan Haywood <da...@haywood-associates.co.uk> wrote:
> A minor point (not that this negates the fact that a fix is needed to Isis)... only query-only actions,
> ie those that are declared to have no side-effects using @ActionSemantics(Of.SAFE actions,
> are bookmarkable. So if you have a bookmarked action that is creating objects, then you ought
> to adjust its action semantics. In your particular case this might be a workaround to the security
> risk that's been flagged.
We haven’t used @ActionSemantics(Of.SAFE) on the create methods, only the query methods.
I believe the default is Of.NON_IDEMPOTENT
It's not the invocation that's being accessed by the bookmarkable URL, it's the form to enter the parameters.
Clicking the "OK" button on that form invokes the method.
The actual URL that causes the method invocation is
POST http://localhost:7001/rma/wicket/wicket/page?1-1.IFormSubmitListener-action-parameters-inputForm
with a standard x-www-form-urlencoded post body.
On 8 September 2014 21:32, Christopher Fairhall < Christopher.Fairhall003@msd.govt.nz> wrote:
> On Monday, 8 September 2014 6:44 p.m. Dan Haywood <
> dan@haywood-associates.co.uk> wrote:
>
> >
> > Is the URL for an entity? Or the URL for a (query) action?
>
> I'm talking about bookmarkable URL's in the format
> http://localhost:7001/rma/wicket/wicket/bookmarkable/<Page class
> name>?pageType=ACTION&actionSingleResultsMode=REDIRECT&objectOid=<clas
> name>s :1&actionType=USER&actionOwningSpec=<class
> name>name>&actionId=<method
> description>&pageTitle=<page title>&actionMode=PARAMETERS
>
> It allows the execution of the method.
>
> Calling via the restfulobjects API
> /resultful/services/<serviceName>/actions/<methodName>/invoke
> Fails with a 404 as expected when logging in with a user that has no
> access.
>
>
>
> > If the URL you are pasting in is for a query action, and it is
> > firing,
> then you have indeed found an issue.
>
> Our security tester managed to call a method that created new entities.
>
> -------------------------------
> This email and any attachments may contain information that is
> confidential and subject to legal privilege. If you are not the
> intended recipient, any use, dissemination, distribution or
> duplication of this email and attachments is prohibited. If you have
> received this email in error please notify the author immediately and
> erase all copies of the email and attachments. The Ministry of Social
> Development accepts no responsibility for changes made to this message
> or attachments after transmission from the Ministry.
>
> -------------------------------
>
-------------------------------
This email and any attachments may contain information that is confidential and subject to legal privilege. If you are not the intended recipient, any use, dissemination, distribution or duplication of this email and attachments is prohibited. If you have received this email in error please notify the author immediately and erase all copies of the email and attachments. The Ministry of Social Development accepts no responsibility for changes made to this message or attachments after transmission from the Ministry.
-------------------------------
Re: Authorisation not working in Isis 1.3
Posted by Dan Haywood <da...@haywood-associates.co.uk>.
OK, thanks for the clarification.
Could you raise a ticket for this (as well as one for the issue on the
other thread).
~~~
A minor point (not that this negates the fact that a fix is needed to
Isis)... only query-only actions, ie those that are declared to have no
side-effects using @ActionSemantics(Of.SAFE actions, are bookmarkable. So
if you have a bookmarked action that is creating objects, then you ought to
adjust its action semantics. In your particular case this might be a
workaround to the security risk that's been flagged.
Thx
Dan
On 8 September 2014 21:32, Christopher Fairhall <
Christopher.Fairhall003@msd.govt.nz> wrote:
> On Monday, 8 September 2014 6:44 p.m. Dan Haywood <
> dan@haywood-associates.co.uk> wrote:
>
> >
> > Is the URL for an entity? Or the URL for a (query) action?
>
> I'm talking about bookmarkable URL's in the format
> http://localhost:7001/rma/wicket/wicket/bookmarkable/<Page class
> name>?pageType=ACTION&actionSingleResultsMode=REDIRECT&objectOid=<class
> name>:1&actionType=USER&actionOwningSpec=<class name>&actionId=<method
> description>&pageTitle=<page title>&actionMode=PARAMETERS
>
> It allows the execution of the method.
>
> Calling via the restfulobjects API
> /resultful/services/<serviceName>/actions/<methodName>/invoke
> Fails with a 404 as expected when logging in with a user that has no
> access.
>
>
>
> > If the URL you are pasting in is for a query action, and it is firing,
> then you have indeed found an issue.
>
> Our security tester managed to call a method that created new entities.
>
> -------------------------------
> This email and any attachments may contain information that is
> confidential and subject to legal privilege. If you are not the intended
> recipient, any use, dissemination, distribution or duplication of this
> email and attachments is prohibited. If you have received this email in
> error please notify the author immediately and erase all copies of the
> email and attachments. The Ministry of Social Development accepts no
> responsibility for changes made to this message or attachments after
> transmission from the Ministry.
>
> -------------------------------
>
RE: Authorisation not working in Isis 1.3
Posted by Christopher Fairhall <Ch...@msd.govt.nz>.
On Monday, 8 September 2014 6:44 p.m. Dan Haywood <da...@haywood-associates.co.uk> wrote:
>
> Is the URL for an entity? Or the URL for a (query) action?
I'm talking about bookmarkable URL's in the format
http://localhost:7001/rma/wicket/wicket/bookmarkable/<Page class name>?pageType=ACTION&actionSingleResultsMode=REDIRECT&objectOid=<class name>:1&actionType=USER&actionOwningSpec=<class name>&actionId=<method description>&pageTitle=<page title>&actionMode=PARAMETERS
It allows the execution of the method.
Calling via the restfulobjects API
/resultful/services/<serviceName>/actions/<methodName>/invoke
Fails with a 404 as expected when logging in with a user that has no access.
> If the URL you are pasting in is for a query action, and it is firing, then you have indeed found an issue.
Our security tester managed to call a method that created new entities.
-------------------------------
This email and any attachments may contain information that is confidential and subject to legal privilege. If you are not the intended recipient, any use, dissemination, distribution or duplication of this email and attachments is prohibited. If you have received this email in error please notify the author immediately and erase all copies of the email and attachments. The Ministry of Social Development accepts no responsibility for changes made to this message or attachments after transmission from the Ministry.
-------------------------------
Re: Authorisation not working in Isis 1.3
Posted by Dan Haywood <da...@haywood-associates.co.uk>.
On 8 September 2014 04:27, Christopher Fairhall <
Christopher.Fairhall003@msd.govt.nz> wrote:
> We've got an Isis application that has failed a security review.
>
> The security provider is Shiro. The UI is Wicket.
>
> When a user with an admin role logs in, they get access to functionality
> not available to standard users.
> However, if a standard user types in the URL to one of the admin pages,
> they get access to it.
>
>
Is the URL for an entity? Or the URL for a (query) action?
> It appears the permissions are only checked when rendering the menus
... or rendering any member of any object (entity or service).
So there is a possible gap... the user could enter the URL of an entity and
discover that such an entity exists as an object. However, authorization
could be setup so that they just see a blank page.
That said, there is the possibility that information could "leak out" in
the title, because that would also be rendered and we don't have any
security for that. As a workaround, you could use the WrapperFactory to
enforce security in such cases, eg:
public String title() {
Customer wrapped = wrapperFactory.wrap(this);
return wrapped.getFirstName() + " " + wrapped.getLastName();
}
> and not when executing the action.
>
I need to check on that, it's possibly an omission. Haven't got time to do
so right now, but will look at this eve.
> Essentially any authenticated user can bypass authorisation.
>
> The permissions are correctly checked when accessing the services through
> the Restful interface.
>
> Is this a known issue?
If the URL you are pasting in is for a query action, and it is firing, then
you have indeed found an issue.
If the URL you are pasting in is for an entity, then I don't think there is
an issue, you just need to lock down permissions on the target object (see
above).
> I did not see anything in the 1.4, 1.5 or 1.6 release notes that would
> cover it either.
>
>
You are correct that there's been no change in 1.4, 1.5, 1.6. If there
is an issue in that a query action fires, we will of course fix it for you.
Let me know...
Dan
>
> -------------------------------
> This email and any attachments may contain information that is
> confidential and subject to legal privilege. If you are not the intended
> recipient, any use, dissemination, distribution or duplication of this
> email and attachments is prohibited. If you have received this email in
> error please notify the author immediately and erase all copies of the
> email and attachments. The Ministry of Social Development accepts no
> responsibility for changes made to this message or attachments after
> transmission from the Ministry.
>
> -------------------------------
>