Uploaded image for project: 'PicketLink'
  1. PicketLink
  2. PLINK-183

Digest authentication can be bypassed

    XMLWordPrintable

Details

    • Bug
    • Resolution: Won't Do
    • Critical
    • PLINK_2.5.0.beta4
    • PLINK_2.5.0.beta4
    • IDM
    • None

    Description

      Grab the sources and deploy: https://github.com/abstractj/aerogear-controller-demo/tree/picketlink_beta4

      Run:

      curl -v -X OPTIONS "http://localhost:8080/aerogear-controller-demo/mycars"

      It shouldn't return the output (because this endpoint is protected):

      • Connection #0 to host corscontroller-abstractj.rhcloud.com left intact
        ["Brawn","Bumblebee","Cliffjumper","Beachcomber","Optimus Prime"]* Closing connection #0

      Attachments

        Issue Links

          blocks

          Bug - A problem that impairs or prevents the functions of the product. AEROGEAR-1243 CORS requests are blocked by Auth in controller demo

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Resolved

          Activity

            People

              psilva@redhat.com Pedro Igor Craveiro
              boliveir_managed_kafka_security (inactive user) Bruno Oliveira Silva (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: