Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-30083

Fix CAS authentication anonymous client change of behavior introduced with NXP-23246

    Details

    • Release Notes Summary:
      CAS authentication redirects with a HTTP 302 when anonymous is enabled.
    • Tags:
    • Backlog priority:
      750

      Description

      How to reproduce:

      • Install nuxeo 10.10 (+HFs) + nuxeo-jsf-ui/nuxeo-web-ui/ cas2-authentication
      • configure CAS with the provided contribution sample
      • invoke http://localhost:8080/nuxeo => you are logged in as Anonymous user
      • logout -> You are redirected to CAS
      • invoke the command:
        curl -L -XGET -v http://localhost:8080/nuxeo/api/v1/user/Anonymous

        => You get HTTP 401 and not a redirection to CAS

      Notice that you get the answer:

      < HTTP/1.1 401 Non-Autoris
      < Server: Apache-Coyote/1.1
      < X-Frame-Options: SAMEORIGIN
      < X-UA-Compatible: IE=10; IE=11
      < Cache-Control: no-cache, no-store, must-revalidate
      < X-Content-Type-Options: nosniff
      < Content-Security-Policy: img-src 'self' data:; default-src * blob:; script-src 'unsafe-inline' 'unsafe-eval' data: *; style-src 'unsafe-inline' *; font-src data: *
      < X-XSS-Protection: 1; mode=block
      < Set-Cookie: JSESSIONID=1E6C5635ACCEE1597B30138FAFED7C3C.nuxeo; Path=/nuxeo/; HttpOnly
      < Content-Type: text/html;charset=UTF-8
      < Content-Length: 343
      < Date: Wed, 20 Jan 2021 13:25:05 GMT
      <
      <script type="text/javascript">
      var h = window.location.hash.substring(1) || '';document.cookie = 'nuxeo.start.url.fragment=' + h.replace(/'/g, '\''); + '; path=/';
      window.location = 'http://cuisine.ad.nuxeo.com:8080/cas-server-webapp-3.5.2.1/login?service=http%3A%2F%2Flocalhost%3A8080%2Fnuxeo%2Fsite%2Fapi%2Fv1%2Fuser%2FAnonymous';
      

      which is due to NXP-23246.

      However, in TL-233, it is stated

      our authentication filter handles a redirection to the login page when authentication is required.

      The snippet of JS code included in the HTTP 401 answer might be understood by WebUI, but not by a third-party CAS client.

      Before NXP-23246 was introduced (so, in 8.10-HF16 and earlier versions), a HTTP 302 was sent, instead of a HTTP 401, and this worked fine with CAS.

      Request is that the former HTTP 302 behavior can be retrieved in the corner case of unauthenticated CAS client when an anonymous user is declared and a direct link is invoked.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 4 hours
                  4h

                    PagerDuty

                    Error rendering 'com.pagerduty.jira-server-plugin:PagerDuty'. Please contact your Jira administrators.