-
Type: Bug
-
Status: Resolved
-
Priority: Major
-
Resolution: Not A Bug
-
Affects Version/s: None
-
Fix Version/s: None
-
Component/s: Authentication, BlobManager, OAuth
Requesting an S3 signed URL from the nxfile servlet via JWT token authentication returns a 401 error. Retrieving it via basic authentication works fine, though.
For example:
curl -I "${NUX_SERVER_URL}/nuxeo/nxfile/default/596ad1ee-cf1b-47c4-95b2-178c7f68e24f" -H "Authorization: Bearer 76EtMwI551oW6Zoo2y4Qb2wULROKwvUb" HTTP/1.1 401 Date: Mon, 29 Apr 2024 23:08:19 GMT Content-Type: text/html;charset=UTF-8 Content-Length: 305 Connection: keep-alive Set-Cookie: AWSALB=dlj9IOYvUqw1+FVlIiEudKDAuk2lVzo0Yp7axWa1kpT//PtFwx15fkF8+wEEY0nQf/bB6mNCZFLrlpuij6h7Bq/MA6osvx6I/I+BFkgyUr1GBmGF3Fhm6ZdK47pg; Expires=Mon, 06 May 2024 23:08:19 GMT; Path=/ Set-Cookie: AWSALBCORS=dlj9IOYvUqw1+FVlIiEudKDAuk2lVzo0Yp7axWa1kpT//PtFwx15fkF8+wEEY0nQf/bB6mNCZFLrlpuij6h7Bq/MA6osvx6I/I+BFkgyUr1GBmGF3Fhm6ZdK47pg; Expires=Mon, 06 May 2024 23:08:19 GMT; Path=/; SameSite=None; Secure Server: Apache Referrer-Policy: same-origin Strict-Transport-Security: max-age=63072000; includeSubdomains; X-Frame-Options: SAMEORIGIN Referrer-Policy: strict-origin-when-cross-origin X-UA-Compatible: IE=10; IE=11 Cache-Control: no-cache X-Content-Type-Options: nosniff Content-Security-Policy: img-src data: blob: *; default-src blob: *; script-src 'unsafe-inline' 'unsafe-eval' data: *; style-src 'unsafe-inline' *; font-src data: * X-XSS-Protection: 1; mode=block Set-Cookie: JSESSIONID=3D7435C5D44CD1ABEF390C796F9A90C2.nuxeo; Path=/nuxeo; Secure; HttpOnly; SameSite=Lax;HttpOnly;Secure
The same request works fine when using basic authentication:
curl -I "${NUX_SERVER_URL}/nuxeo/nxfile/default/596ad1ee-cf1b-47c4-95b2-178c7f68e24f" -u "${NUX_USERNAME}:${NUX_PASSWORD}" HTTP/1.1 302 Date: Mon, 29 Apr 2024 23:11:47 GMT Connection: keep-alive Set-Cookie: AWSALB=EMc/yVWUcksH7REll7/+lRWnNtDWRH9Hplm7moapvlhXpVJPkAfSErr0tHb/j2XR0Yxe/LoTRFFiENZaMGonP01p9CmL72SCOH4sa6V7z7/P+3Bcqj2JrVNquCLO; Expires=Mon, 06 May 2024 23:11:47 GMT; Path=/ Set-Cookie: AWSALBCORS=EMc/yVWUcksH7REll7/+lRWnNtDWRH9Hplm7moapvlhXpVJPkAfSErr0tHb/j2XR0Yxe/LoTRFFiENZaMGonP01p9CmL72SCOH4sa6V7z7/P+3Bcqj2JrVNquCLO; Expires=Mon, 06 May 2024 23:11:47 GMT; Path=/; SameSite=None; Secure Server: Apache Referrer-Policy: same-origin Strict-Transport-Security: max-age=63072000; includeSubdomains; X-Frame-Options: SAMEORIGIN Referrer-Policy: strict-origin-when-cross-origin X-UA-Compatible: IE=10; IE=11 Cache-Control: no-cache X-Content-Type-Options: nosniff Content-Security-Policy: img-src data: blob: *; default-src blob: *; script-src 'unsafe-inline' 'unsafe-eval' data: *; style-src 'unsafe-inline' *; font-src data: * X-XSS-Protection: 1; mode=block Location: https://nuxeo-app-dev-2b230538b7.s3.us-west-2.amazonaws.com/binaries/1f843aeb802e74ec43cc3ee4edea389d?response-content-disposition=attachment%3B%20filename%3Dna_new_SHIRTS-16605-Secondary-2_M_T01_V01_BT_M.jpg&response-content-type=image%2Fjpeg&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEMb%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLXdlc3QtMiJHMEUCICgJ0ahGRzqi8egL5KSIEu%2FU7x9PvVKqZXdHh7tx78glAiEAw5GdkzZ9baTceF2aqdCuMVS7u%2F6zQgRuSOJlK%2BqgHncquQUIHxADGgwyNTQ1MjU1ODkzNjIiDIWxvylf5i%2FVfNB4bSqWBVt7mt2Ey%2FHyWZSDMriFT8aqzSdOX7yOHmlArtwln6KV4tbN1Kvo3UV3m5eCXwrDgj6nQssdCjsWp1gjNF%2FuC0eMx2dmvKvfBtpyW7%2FMRasJIjYb66MkgFdSFftA5slt3%2FDuD5K5I9GdWDMX%2FhoYQhvat1u2Z9pOzRMOevCbunP9nZlbai1rH%2FBk1IsWhHbikWm1pFacZa3qzJQhzBxHUnj3YjTgPHrPh3n8gnbWRhy85uaoegqMQrrpEMyZXjiLug591ppouWyiAWkzY6HF2TQ4RjVBjqTDly9gQQ4hh%2BRtLXPC6yGK8jOOzLd1s8YS4sTb6lDdJXyPagjuTEaK7xFdp7LD9lEgCwWTLPN9FHbzb1vxTEcNnrjUpXBG%2BNE3gw7U05ukuzMeq0Wb0aW%2BhT55RX5lEIpFD33eCXSnMMOBBdt2PxVxi32Gyj%2F1lxyvCFwz0hp21TV7vPCtu4sBEnd%2BAkiuWqg2GpyIG1UHqothxPLgZWPkUJIebdaBapT05DuL8qe5JxIsDBLi%2FtbGFcs5DjwPBoIUQI5l8CaMhKyJ9%2BTxhqf90DswNqgit7KA8Vtz1LoIoKqOtwdeIMv2t0T%2FJi4BwJOvSAAsaiN6xt1vAqXJgBU1xnOYDSNmCvVzcH4qP7UREwbeGAkj%2BojvdQdOlPrm7OF5tIzk7HV9xNvQ90UY3%2BDbdNQiycKpSQ0VEqY1qLGuSJHeEQPE2BdA43HbERRtJBrspNfG7CxsQas950vZ1nMRUb6CSIJ42xgkPTAbVclfe5AaZzd37Yn4kRywpMMl81oxPClJOooqK5gB%2BpFgaEnQ87xkt%2BLC7jlG9vtXK%2Bv3lh%2FmnuAfHeFyOsUzIo9oUSi1jpDne6YUAiMBCm4mDPS3MKe2wLEGOrEBOOzlMdyHz9UlwVrcFzrSBpQhTJNTaItpn2Q3jlKxJ6OjM%2B3fB2wqLdbjTtX8qrF3ZwAfZfUBU4atyXYm8%2B0kUbTnlNBXbX36dLzuJSTuKr70oTDEya1lcOWA%2BGx4MfDX%2Bs%2Bgw%2BCK9CMlmrNWuRLuxpq09gZIgVVBh0pCBMXqgyKq%2BpBz6OCO8z8qWMfioXdSZZwP9I13dDT5H2jKy50ujii6DMeeQwd8AVOvvauU6ifB&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20240429T231147Z&X-Amz-SignedHeaders=host&X-Amz-Expires=300&X-Amz-Credential=ASIATWQXII5ZE4EL56F5%2F20240429%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Signature=6f1b781d7138b78475a72b13e451021328dbbacad1b4ba2273387337e0ceda18
Other API requests via JWT token work fine.
LTS 2023 HF09