Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-30083

Fix CAS authentication anonymous client change of behavior introduced with NXP-23246

    XMLWordPrintable

    Details

    • Release Notes Summary:
      CAS authentication redirects with a HTTP 302 when anonymous is enabled.
    • Tags:
    • Backlog priority:
      750

      Description

      How to reproduce:

      • Install nuxeo 10.10 (+HFs) + nuxeo-jsf-ui/nuxeo-web-ui/ cas2-authentication
      • configure CAS with the provided contribution sample
      • invoke http://localhost:8080/nuxeo => you are logged in as Anonymous user
      • logout -> You are redirected to CAS
      • invoke the command: 
        curl -L -XGET -v http://localhost:8080/nuxeo/api/v1/user/Anonymous

        => You get HTTP 401 and not a redirection to CAS

      Notice that you get the answer:

      < HTTP/1.1 401 Non-Autoris
< Server: Apache-Coyote/1.1
< X-Frame-Options: SAMEORIGIN
< X-UA-Compatible: IE=10; IE=11
< Cache-Control: no-cache, no-store, must-revalidate
< X-Content-Type-Options: nosniff
< Content-Security-Policy: img-src 'self' data:; default-src * blob:; script-src 'unsafe-inline' 'unsafe-eval' data: *; style-src 'unsafe-inline' *; font-src data: *
< X-XSS-Protection: 1; mode=block
< Set-Cookie: JSESSIONID=1E6C5635ACCEE1597B30138FAFED7C3C.nuxeo; Path=/nuxeo/; HttpOnly
< Content-Type: text/html;charset=UTF-8
< Content-Length: 343
< Date: Wed, 20 Jan 2021 13:25:05 GMT
<
<script type="text/javascript">
var h = window.location.hash.substring(1) || '';document.cookie = 'nuxeo.start.url.fragment=' + h.replace(/'/g, '\''); + '; path=/';
window.location = 'http://cuisine.ad.nuxeo.com:8080/cas-server-webapp-3.5.2.1/login?service=http%3A%2F%2Flocalhost%3A8080%2Fnuxeo%2Fsite%2Fapi%2Fv1%2Fuser%2FAnonymous';

      which is due to NXP-23246.

      However, in TL-233, it is stated

      our authentication filter handles a redirection to the login page when authentication is required.

      The snippet of JS code included in the HTTP 401 answer might be understood by WebUI, but not by a third-party CAS client.

      Before NXP-23246 was introduced (so, in 8.10-HF16 and earlier versions), a HTTP 302 was sent, instead of a HTTP 401, and this worked fine with CAS.

      Request is that the former HTTP 302 behavior can be retrieved in the corner case of unauthenticated CAS client when an anonymous user is declared and a direct link is invoked.

        Attachments

          Issue Links

          is caused by

          Bug - A problem which impairs or prevents the functions of the product. NXP-23246 URL fragment in redirect URI lost in authentication filter

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved
          is related to

          Bug - A problem which impairs or prevents the functions of the product. NXP-30455 Find a way to make REST call with CAS Authentication stateful

          • Major - Major loss of function.
          • Resolved
          Is referenced in

          [Captain Hook] PR for 10.10: #4706 PR for 10.10: #4706

          [Captain Hook] PR for 2021: #101 PR for 2021: #101

          [Captain Hook] PR for master: #4701 PR for master: #4701

          [Captain Hook] PR for master: #4752 PR for master: #4752

          [Captain Hook] PR for master: #4769 PR for master: #4769

          [Captain Hook] PR for master: #4924 PR for master: #4924

          [Captain Hook] PR for master: #4935 PR for master: #4935

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 4 hours
                  4h