Can't access service in a webapp under idprovider

enonic / xp

Enonic XP

https://enonic.com

GNU General Public License v3.0

200 stars 34 forks source link

Can't access service in a webapp under idprovider #10403

Closed alansemenov closed 5 months ago

alansemenov commented 7 months ago

With this vhost config

enabled = true

mapping.admin.host = localhost
mapping.admin.source = /
mapping.admin.target = /
mapping.admin.idProvider.system = default

mapping.ol.host = officeleague
mapping.ol.source = /app
mapping.ol.target = /webapp/myproject
mapping.ol.idProvider.system = default

it's impossible to access service located at http://officeleague:8080/app/_/service/com.enonic.xp.app.standardidprovider/config

rymsha commented 5 months ago

This is due to #5668

We have several options:

remove the restriction for webapps to call only own services.
allow webapps to call id-provider services.
migrate config service to json block

alansemenov commented 5 months ago

allow webapps to call id-provider services.

This sounds logical. Id providers are no ordinary apps and should be always accessible by other apps.

migrate config service to json block

what is this?

rymsha commented 5 months ago

what is this?

inject json on a page instead of calling a service. This is how we do it on react4xp https://html.spec.whatwg.org/multipage/scripting.html#data-block

<script id="myJson" type="application/json">
 { 
   name: 'Foo' 
 }
</script>

rymsha commented 5 months ago

the same issue hits sites which are protected by id providers - they won't be able to use idprovider service (if there is any)

rymsha commented 5 months ago

checking for id-provider service may be reasonable, but practically hard to implement - only name is given in the url, there is no indication that there is an idprovider under that name.
5668 - should be reconsidered. Probably we don't need to restrict services more than they can already (they have permissions, they also can read url they were accessed under and prevent access) Leaving this issue open.
fix for the issue described should be done in standardidprovider https://github.com/enonic/app-standardidprovider/issues/767

rymsha commented 5 months ago

We changed id-provider so it does not use service anymore. We cannot remove restriction as it might be already in use and changing it may introduce severe security issues. There are plans to combine services with new API functionality in XP8

enonic / xp

Can't access service in a webapp under idprovider #10403

5668 - should be reconsidered. Probably we don't need to restrict services more than they can already (they have permissions, they also can read url they were accessed under and prevent access) Leaving this issue open.