|Anonymous | Login | Signup for a new account||2018-12-15 12:06 CET|
|Main | My View | View Issues | Change Log | Roadmap|
|View Issue Details|
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0000675||YaCy||[All Projects] General||public||2016-07-27 23:06||2016-08-05 01:27|
|Status||resolved||Resolution||no change required|
|Platform||OS||GNU/Linux||OS Version||Debian Jessie|
|Product Version||YaCy 1.8|
|Target Version||Fixed in Version|
|Summary||0000675: Unauthorized admin features with DIGEST authentication|
|Description||When setting YaCy HTTP authentication to DIGEST instead of BASIC, some administration features are still unauthaurized.|
The most obvious ones are /ConfigBasic.html and /Steering.html?shutdown= which end with a 401 Unauthaurized HTTP Status code.
Private pages suffixed with "_p" work fine.
It would be good to have Digest HTTP Authentication mode fully working for remotely administered YaCy servers with no TLS, as Basic authentication is well known as unsecure and should not be used without TLS.
|Steps To Reproduce||As described in wiki (http://www.yacy-websearch.net/wiki/index.php/En:Security [^]), modify the defaults/web.xml configuration file with <auth-method>DIGEST</auth-method>|
Go to a private page such as /ViewLog_p.html : once correct login/password is typed, the page is correctly displayed.
Go to /ConfigBasic.html : result is the following :
HTTP ERROR 401
Problem accessing /ConfigBasic.html. Reason: Unauthorized
|Additional Information||Some debugging reveals that Switchboard.adminAuthenticated() function does not support correctly Digest HTTP authentication mode :|
- condition "if ( realmValue.length() > 512 )" tests for a too short string
- realmValue itself is not correctly parsed
Many admin features are only activated when Switchboard.adminAuthenticated returns true, and so are missing when using Digest authentication.
|Tags||No tags attached.|
|Edit : the original condition is "if ( realmValue.length() > 256 ) "|
I was not able to reproduce the described behavior.
Steps to reproduce:
1. change web.xml in defaults auth from BASIC to DIGEST
2. from localhost goto Accounts, set "Access only with qualified account" password for user admin (+ save setting with "Define Administrator" button)
3. restart YaCy
4. access from remote /status.html -> login form -> using user and password just set
5. access /ViewLog_p.html followed by /ConfigBasic.htm followed by /Steering.html
all display and work fine from remote
Do you see any difference in the steps and/or does error appear following this sequence ?
Hi, I just tested again and got exactly the same HTTP 401 error...
- run from latest compiled sources from YaCy master github repository
- run from scratch : no previously existing DATA directory
- all settings are default, except admin password and web.xml auth method as described
- I run exactly the same steps as you, except that /Status.html doesn't ask for login/password and display limited public information. Login is only asked when visiting /ViewLog_p.html or another private page
- test configs, all reproducing the issue :
- Firefox 45 requesting localhost peer on Debian Jessie
- Firefox 47, IE Edge or Chrome 52, on Windows 10 requesting remote peer on Debian Jessie
I wonder what differ in our configurations which makes it works on yours : existing DATA, browser history... ?
I tested with IE Edge and Firefox 47, but peer runs on Win box.
Also latest source under java 8.
From these differences don't lead me to a idea for a cause.
Ok, when having some time I will try to re-run this test with a YaCy peer running on Windows with Java 8.
By the way, I now configure my remote peer with HTTPS enabled + Basic Authentication. This works fine and I hope provides a reasonnable security level, so I also updated the wiki section accordingly.
I did not reproduced the issue when running my peer on Windows 10.
And in the meantime I re-installed open jdk on my Debian machines, and guess what? No more problem with Digest Authentication!
I really wonder what initially went wrong... I re-tried many differents steps combinations, using either openjdk 7 or 8, and everything now works fine each time.
I am really sorry to have made loose your time. I think you can now close this issue.
Great to get that info and to know it works.
I still consider to make DIGEST default one day (but currently there are some backward compatibility requirements, as far as I know, that holds me up)
|2016-07-27 23:06||luc||New Issue|
|2016-07-27 23:08||luc||Note Added: 0001264|
|2016-08-01 01:04||BuBu||Note Added: 0001266|
|2016-08-01 01:04||BuBu||Assigned To||=> BuBu|
|2016-08-01 01:04||BuBu||Status||new => feedback|
|2016-08-02 01:02||luc||Note Added: 0001267|
|2016-08-02 01:02||luc||Status||feedback => assigned|
|2016-08-02 03:10||BuBu||Note Added: 0001269|
|2016-08-02 14:53||luc||Note Added: 0001270|
|2016-08-04 12:18||luc||Note Added: 0001271|
|2016-08-05 01:27||BuBu||Note Added: 0001272|
|2016-08-05 01:27||BuBu||Status||assigned => resolved|
|2016-08-05 01:27||BuBu||Resolution||open => no change required|
|Copyright © 2000 - 2018 MantisBT Team|