Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-7093

REST service authentication doesn't check cookies if Authorization header is present

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Major
    • 7.4-milestone-2
    • 3.1, 4.1.3
    • REST
    • None
    • patch
    • Unknown
    • N/A
    • N/A
    • Awaiting Contributor feedback

    Description

      As opposed to the XWiki authentication when navigating in browser (through XWikiServlet), the authentication done by the REST servlet doesn't look at the cookies if an Authorization header is present in the request.
      This can create issues when trying to use XWiki behind an apache which has already some basic authentication set, where the basic authorization users don't match xwiki users. When a request from an authenticated user will come in, it will have both authorization headers and cookies. REST service processes the authorization headers and, if user doesn't match an xwiki user, returns 401. It would check cookies only if the authorization header would not be present.

      Note that this behaviour is not necessarily wrong, it's only an issue because xwiki servlet behaves otherwise and they should be consistent (all XWiki standard actions behind an apache with basic authentication don't cause any kind of problems as long as the client sends the appropriate cookies).

      Attachments

        1. XWIKI-7093.patch
          7 kB
          Anca Luca
        2. XWIKI-7093-20120718.patch
          8 kB
          Alex Dubov
        3. XWIKI-7093-20120718-dirtyhack.patch
          9 kB
          Alex Dubov

        Issue Links

          Activity

            People

              tmortagne Thomas Mortagne
              lucaa Anca Luca
              Votes:
              3 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: