Uploaded image for project: 'MyCoRe'
  1. MCR-1155

use "FORM" auth-method for MCRContainerLogin

    Details

    • Type: Task
    • Status: Closed
    • Priority: Medium
    • Resolution: Fixed
    • Affects Version/s: 2015.11
    • Fix Version/s: 2016.02
    • Component/s: mycore-base, mycore-user2
    • Labels:
      None

      Description

      It was noticed recently that we cannot re-login the user on every request, if MCRServlet3LoginServlet is used. This will change the sessionId of the HTTPSession with every request that will lead to lost sessions.

      For sake of correctness we have to use the authenticate() method of request here. Tomcat currently (8.0.30) lacks a feature. Calling authenticate() after a successful login will trigger a DIGEST authentication, as it is defined to use for MCRContainerLogin.

      If we change the auth-method to "FORM" it will make the container login a bit more insecure, as password is transmitted over the wire. As this is the case also for local users it will not open "new" security holes. If "FORM" is used, Tomcat allows authenticate() to use the credentials of login(). This is what we want for sure!

        Attachments

          Activity

            People

            • Assignee:
              yagee Thomas Scheffler
              Reporter:
              yagee Thomas Scheffler
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: