Open GoogleCodeExporter opened 9 years ago
[deleted comment]
Attached the proposed patch. I have not tested this yet (will do that next
week).
Original comment by sebastia...@gmail.com
on 18 May 2013 at 1:19
Attachments:
Tested the patch, but this fix was not good enough. After further code analysis
I've made a new patch which does the following:
1. RestServerHelper: handleAuthentication is now called when
requiresAuthentication=true or a Basic Authentication header is present. This
makes the Authentication optional if requiresAuthentication=false.
2. RestRandomPasswordServer: fixed a bug where jsonInput.username was provided
to createChaiUser, instead of the User DN of the restRequestBean.
3. RestServerHelper + RestRandomPasswordServer: Used overloading on
initializeRestRequest method to allow Random Password generation to be done if
the userDN in the Basic Authoration header matches the DN of the JSON username.
I've seperated the authorzation checks from lookupUsername in
handleAuthorization. The old behaviour was that Helpdesk Permission was always
mandatory if JSON username was provided.
Original comment by sebastia...@gmail.com
on 21 May 2013 at 11:00
Attachments:
Original comment by jrivard
on 23 May 2013 at 7:42
This is actually working as designed. To get a random password generated
against any user is a privileged operation and should require authentication.
Your reading the password policy of the user which in may involve privileged
ldap operations.
I think it also makes sense that Helpdesk permission is required for 3rd party
operations. Or at least some type of permission, perhaps there should be a
separate permission for 3rd party operations. However the actual helpdesk UI
uses this service so it does fit that use case well.
Comments?
Original comment by jrivard
on 14 Jun 2013 at 3:46
Some feedback on this :)
@Working on designed: The current REST documentation states that Authentication
is Optional for the GET and POST methods. However, authentication is always
necessary with the current code.
@security: The REST service is indeed reading the Password Policy of that user,
but that is not returned in the REST call, so no sensitive information is
revealed. Currently the REST service uses the Proxy LDAP account to read the
Password Policy, so privileged ldap operations are not necessary for the user
in the Basic Auth header.
Letting a user requesting a Random Password for her/himself after
authentication is currently already available in the Change Password module
(Settings -> User Interface -> Show Auto Generate Randoms). It would be nice
for third party apps to have this same functionality over REST.
Note that by overloading initializeRestRequest only the Random Password
generation is given this permission on self. For all other operations Helpdesk
permission is still necessary.
Original comment by sebastia...@gmail.com
on 14 Jun 2013 at 6:07
Original issue reported on code.google.com by
sebastia...@gmail.com
on 18 May 2013 at 12:57