Re: secure the tomee/ejb path

[Zachary Bedell <zb...@nycourts.gov>]

I just added a comment to the Github commit on this, but wanted to reference it here in case anyone finds this email thread.

https://github.com/apache/tomee/commit/7edb1be6a17efb05a5ca37ff2919abd2a0aabe25


This approach causes problems with clustered connections.

If using a clustered URL like "failover:sticky+random:https://1.2.3.4:8443/ejb/invoke?authorization=Basic%20ABCD,https://1.2.3.5:8443/ejb/invoke?authorization=Basic%20ABCD", the call to URI::getSchemeSpecificPart() in org.apache.openejb.client.FailoverConnectionFactory::getConnection() results in the "%20" encoding being stripped & replaced with a raw space character. The subsequent call to URI.create(remainder) fails with an IllegalArgumentException on the index of the space character.

It may be appropriate to change FailoverConnectionFactory to use URI::getRawSchemeSpecificPart() or else assume the "Basic " part of the header in HttpConnectionFactory. I'm not sure how that class could do anything other than basic auth in this situation since there's no facility for it to retrieve the nonce or other digest related attributes from the HTTP/401 challenge.

I've locally modified this class to append the Basic part itself (IE httpURLConnection.setRequestProperty("Authorization", "Basic " + params.get("authorization"));) leaving only the base64 encoded credentials in the URL. It works fine that way with single or clustered URLs.

Best regards,
Zac Bedell

On Jul 28, 2016, at 05:56, Romain Manni-Bucau <rm...@gmail.com>> wrote:

Well this is not "trivial" since normally you don't do it so no worries

org.apache.openejb.client.ConnectionManager.registerFactory("http", new
MyConnectionFactory());
org.apache.openejb.client.ConnectionManager.registerFactory("https", new
MyConnectionFactory());

Once at startup (= before any remote call).

Side note: you can copy master HttpConnectionFactory to get basic support
adding ?authorization=Basic%20xxxxxxxx==:
https://github.com/apache/tomee/blob/master/server/openejb-client/src/main/java/org/apache/openejb/client/HttpConnectionFactory.java

Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> |  Blog
<https://blog-rmannibucau.rhcloud.com> | Old Wordpress Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com> | JavaEE Factory
<https://javaeefactory-rmannibucau.rhcloud.com>

2016-07-28 11:09 GMT+02:00 ict <ic...@gmail.com>:

forgive my inexperience , how do you extend and record the client-side
class?



--
View this message in context:
http://tomee-openejb.979440.n4.nabble.com/secure-the-tomee-ejb-path-tp4679509p4679528.html
Sent from the TomEE Users mailing list archive at Nabble.com.

Re: secure the tomee/ejb path

[Romain Manni-Bucau <rm...@gmail.com>]

2016-10-05 23:03 GMT+02:00 Zachary Bedell <zb...@nycourts.gov>:

> I just added a comment to the Github commit on this, but wanted to
> reference it here in case anyone finds this email thread.
>
> https://github.com/apache/tomee/commit/7edb1be6a17efb05a5ca37ff2919ab
> d2a0aabe25
>
>
> This approach causes problems with clustered connections.
>
> If using a clustered URL like "failover:sticky+random:https:
> //1.2.3.4:8443/ejb/invoke?authorization=Basic%20ABCD,
> https://1.2.3.5:8443/ejb/invoke?authorization=Basic%20ABCD", the call to
> URI::getSchemeSpecificPart() in org.apache.openejb.client.
> FailoverConnectionFactory::getConnection() results in the "%20" encoding
> being stripped & replaced with a raw space character. The subsequent call
> to URI.create(remainder) fails with an IllegalArgumentException on the
> index of the space character.
>
> It may be appropriate to change FailoverConnectionFactory to use
> URI::getRawSchemeSpecificPart() or else assume the "Basic " part of the
> header in HttpConnectionFactory. I'm not sure how that class could do
> anything other than basic auth in this situation since there's no facility
> for it to retrieve the nonce or other digest related attributes from the
> HTTP/401 challenge.
>
>
used getRawSchemeSpecificPart

you can use OAuth2 with current implementation for instance so not really
motivated to hardcode Basic.


> I've locally modified this class to append the Basic part itself (IE
> httpURLConnection.setRequestProperty("Authorization", "Basic " +
> params.get("authorization"));) leaving only the base64 encoded credentials
> in the URL. It works fine that way with single or clustered URLs.
>
>
Only works cause base64 encoding will not add spaces or other URL forbidden
character but another token policy can so think the fix was really in
failover factory.


> Best regards,
> Zac Bedell
>
> On Jul 28, 2016, at 05:56, Romain Manni-Bucau <rmannibucau@gmail.com
> <ma...@gmail.com>> wrote:
>
> Well this is not "trivial" since normally you don't do it so no worries
>
> org.apache.openejb.client.ConnectionManager.registerFactory("http", new
> MyConnectionFactory());
> org.apache.openejb.client.ConnectionManager.registerFactory("https", new
> MyConnectionFactory());
>
> Once at startup (= before any remote call).
>
> Side note: you can copy master HttpConnectionFactory to get basic support
> adding ?authorization=Basic%20xxxxxxxx==:
> https://github.com/apache/tomee/blob/master/server/
> openejb-client/src/main/java/org/apache/openejb/client/
> HttpConnectionFactory.java
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> <https://blog-rmannibucau.rhcloud.com> | Old Wordpress Blog
> <http://rmannibucau.wordpress.com> | Github <https://github.com/
> rmannibucau> |
> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> <http://www.tomitribe.com> | JavaEE Factory
> <https://javaeefactory-rmannibucau.rhcloud.com>
>
> 2016-07-28 11:09 GMT+02:00 ict <ic...@gmail.com>:
>
> forgive my inexperience , how do you extend and record the client-side
> class?
>
>
>
> --
> View this message in context:
> http://tomee-openejb.979440.n4.nabble.com/secure-the-tomee-ejb-path-
> tp4679509p4679528.html
> Sent from the TomEE Users mailing list archive at Nabble.com.
>
>
>