Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-7093

REST service authentication doesn't check cookies if Authorization header is present

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.1, 4.1.3
    • Fix Version/s: 7.4-milestone-2
    • Component/s: REST
    • Labels:
      None
    • keywords:
      patch
    • Difficulty:
      Unknown
    • Documentation:
      N/A
    • Documentation in Release Notes:
      N/A
    • Pull Request Status:
      Awaiting Contributor feedback
    • Similar issues:

      Description

      As opposed to the XWiki authentication when navigating in browser (through XWikiServlet), the authentication done by the REST servlet doesn't look at the cookies if an Authorization header is present in the request.
      This can create issues when trying to use XWiki behind an apache which has already some basic authentication set, where the basic authorization users don't match xwiki users. When a request from an authenticated user will come in, it will have both authorization headers and cookies. REST service processes the authorization headers and, if user doesn't match an xwiki user, returns 401. It would check cookies only if the authorization header would not be present.

      Note that this behaviour is not necessarily wrong, it's only an issue because xwiki servlet behaves otherwise and they should be consistent (all XWiki standard actions behind an apache with basic authentication don't cause any kind of problems as long as the client sends the appropriate cookies).

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                tmortagne Thomas Mortagne
                Reporter:
                lucaa Anca Luca
              • Votes:
                3 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Date of First Response: