Removing user token query parameters to the REST API #185
Closed
adamkorynta
announced in
Announcements
Replies: 2 comments 1 reply
-
|
It's a security issue. You never want anything that grants special
permission to do anything in a query param. They get cached or can be
easily snagged by malicious java script.
Not expecting it to be fixed under the cwms cac work, but in general it
needs to go.
The processing of the token is also just akward. But understandble
considering how many times i had to read that jax-rs book to have a handle
on how these things should be processed.
…On Tue, Sep 10, 2024, 11:21 AM Adam Korynta ***@***.***> wrote:
The REST API supports entering the token via both the Authentication
header and as a query parameter. For the jax-rs resources implementation
(endpoints) that means every method has a token parameter (whether
authenticated or not).
For the work with implementing authentication procedures for CWMS CAC
authentication, it makes sense to remove the query parameters and leave
just the header for token authorization.
CWMS CAC authentication using the CWMS AAA service relies on the
JSESSIONIDSSO cookie rather than a header or query parameter. Having the
query token parameter no-opped is a maintenance burden and is unnecessary
given the authorization header is already sufficient. The web client GUI
currently always send both the header and the query parameter.
—
Reply to this email directly, view it on GitHub
<#185>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AB44KCGMVZPPNKK5M74EXVTZV42CRAVCNFSM6AAAAABN7KQD62VHI2DSMVQWIX3LMV43ERDJONRXK43TNFXW4OZXGE3DKOBXGA>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
1 reply
-
|
Sorry, somehow I read that wrong and didn't realize you were already doing exactly what is desired. |
Beta Was this translation helpful? Give feedback.
-
|
Query parameters were removed with PR: #186 |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
The REST API supports entering the token via both the Authentication header and as a query parameter. For the jax-rs resources implementation (endpoints) that means every method has a token parameter (whether authenticated or not).
For the work with implementing authentication procedures for CWMS CAC authentication, it makes sense to remove the query parameters and leave just the header for token authorization.
CWMS CAC authentication using the CWMS AAA service relies on the JSESSIONIDSSO cookie rather than a header or query parameter. Having the query token parameter no-opped is a maintenance burden and is unnecessary given the authorization header is already sufficient. The web client GUI currently always send both the header and the query parameter.
Beta Was this translation helpful? Give feedback.
All reactions