search

wso2 / financial-services-accelerator

WSO2 Open Banking Accelerator is a collection of technologies that increases the speed and reduces the complexity of adopting open banking compliance. Instead of building a solution from scratch, you can use WSO2 Open Banking Accelerator to meet all legislative requirements with additional benefits beyond compliance.
Apache License 2.0
7 stars 20 forks source link

[OB3] Prevent overriding MTLS Cert Header at TokenFilter #99

Closed imesh94 closed 1 month ago

imesh94 commented 1 month ago

[OB3] Prevent overriding MTLS Cert Header at TokenFilter

When a proxy is added to IS APIs through gateway, TLS is terminated at gateway and the Gateway transport certificate is passed to the IS. This causes client authentication failures. The certificate is added to the request as a header by GatewayClientAuthenticationHandler. This PR adds changes to the TokenFilter to prevent overriding that header if it is available.

Issue link: https://github.com/wso2-enterprise/ob-compliance-toolkit-cds/issues/511

Doc Issue: Optional, link issue from documentation repository

Applicable Labels: Spec, product, version, type (specify requested labels)

Development Checklist

  1. [ ] Built complete solution with pull request in place.
  2. [ ] Ran checkstyle plugin with pull request in place.
  3. [ ] Ran Findbugs plugin with pull request in place.
  4. [ ] Formatted code according to WSO2 code style.
  5. [ ] Migration scripts written (if applicable).

Secure Development Checklist

  1. [ ] Ran FindSecurityBugs plugin and verified report.
  2. [ ] Ran Dependency-check plugin and verified report for new dependencies added.
  3. [ ] Ran Dependency-check plugin and verified report for dependency version changes.
  4. [ ] Have you verify the PR does't commit any keys, passwords, tokens, usernames, or other secrets?
  5. [ ] Have you followed secure coding standards in WSO2 Secure Engineering Guidelines?

Testing Checklist

  1. [ ] Written unit tests.
  2. [ ] Documented test scenarios(link available in guides).
  3. [ ] Written automation tests (link available in guides).
  4. [ ] Verified tests in multiple database environments (if applicable).
  5. [ ] Verified tests in multiple deployed specifications (if applicable).
  6. [ ] Tested with OBBI enabled (if applicable).
  7. [ ] Tested with specification regulatory conformance suites (if applicable).

Automation Test Details

Test Suite Test Script IDs
Integration Suite TCXXXXX, TCXXXX

Conformance Tests Details

Test Suite Name Test Suite Version Scenarios Result
Security Suite VX.X Foo, Bar Passed

Resources

Knowledge Base: https://sites.google.com/wso2.com/open-banking/

Guides: https://sites.google.com/wso2.com/open-banking/developer-guides