Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-11503

Automation requests with valid credentials but that lacks some permissions on a doc should be mapped to HTTP 403 instead of 401

    XMLWordPrintable

    Details

    • Tags:
    • Upgrade notes:
      Hide

      To preserve backward compat for 5.6 compatible clients, the hotfix will not change the behavior of automation server by default unless explicitly stated in nuxeo.conf with the following line.

      org.nuxeo.ecm.automation.server.permission.httpcode=403

      In 5.7, authorization exceptions are mapped by default to 403.

      Show
      To preserve backward compat for 5.6 compatible clients, the hotfix will not change the behavior of automation server by default unless explicitly stated in nuxeo.conf with the following line. org.nuxeo.ecm.automation.server.permission.httpcode=403 In 5.7, authorization exceptions are mapped by default to 403.

      Description

      HTTP 401 should only be used to signal authentication issues (lack or invalid credentials, for instance the basic http auth header is lacking or invalid).

      HTTP 403 should be used to signal authorization issues: for instance when an authenticated client is trying to access a resource without being granted the permissions to do so.

      Right now org.nuxeo.ecm.automation.server.jaxrs.ExceptionHandler is mapping any authorization exceptions from the core to 401 instead of 403 which makes it impossible for the automation client to know whether there a problem with the credentials (e.g. a password has been changed) or whether the user lacks the permissions on a specific document.

        Attachments

          Issue Links

          depends on

          Bug - A problem which impairs or prevents the functions of the product. NXP-12493 Automation batch execution returns HTTP 500 instead of 403 in case of a DocumentSecurityException

          • Major - Major loss of function.
          • Resolved
          is required by

          Bug - A problem which impairs or prevents the functions of the product. NXP-11469 DENY Read Permission on synchronized documents should not be detected as invalid credentials by the client

          • Major - Major loss of function.
          • Resolved

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 2 hours
                  2h