Change in ovirt-engine[master]: aaa: Request state does not match session state after succes...

mperina at redhat.com mperina at redhat.com
Fri Aug 19 05:11:15 UTC 2016 

Martin Peřina has submitted this change and it was merged.

Change subject: aaa: Request state does not match session state after successful login
......................................................................


aaa: Request state does not match session state after successful login

Fix the usability issues with mismatched
session state when the login screen session
has expired.

The client id and client secret with the
redirect uri check should be sufficient
security check, session "state" which is
a random string and was passed between sso
and engine as an additional level of security
can be dropped with out any security threats.

Change-Id: I9874c007e2d3382bbcdc8a280302306e2e6dc601
Bug-Url: https://bugzilla.redhat.com/1367921
Signed-off-by: Ravi Nori <rnori at redhat.com>
---
M backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/SsoUtils.java
M backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/servlet/SsoLoginServlet.java
M backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/servlet/SsoPostLoginServlet.java
M backend/manager/modules/enginesso/src/main/java/org/ovirt/engine/core/sso/servlets/OAuthAuthorizeServlet.java
M backend/manager/modules/enginesso/src/main/java/org/ovirt/engine/core/sso/utils/SsoConstants.java
M backend/manager/modules/enginesso/src/main/java/org/ovirt/engine/core/sso/utils/SsoSession.java
M backend/manager/modules/enginesso/src/main/java/org/ovirt/engine/core/sso/utils/SsoUtils.java
M backend/manager/modules/welcome/src/main/java/org/ovirt/engine/core/LoginServlet.java
M backend/manager/modules/welcome/src/main/java/org/ovirt/engine/core/OAuthCallbackServlet.java
M backend/manager/modules/welcome/src/main/java/org/ovirt/engine/core/WelcomeServlet.java
M backend/manager/modules/welcome/src/main/java/org/ovirt/engine/core/WelcomeUtils.java
11 files changed, 8 insertions(+), 59 deletions(-)

Approvals:
  Martin Peřina: Looks good to me, approved
  Ravi Nori: Verified
  Jenkins CI: Passed CI tests



-- 
To view, visit https://gerrit.ovirt.org/62470
To unsubscribe, visit https://gerrit.ovirt.org/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I9874c007e2d3382bbcdc8a280302306e2e6dc601
Gerrit-PatchSet: 2
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Ravi Nori <rnori at redhat.com>
Gerrit-Reviewer: Jenkins CI
Gerrit-Reviewer: Martin Peřina <mperina at redhat.com>
Gerrit-Reviewer: Ravi Nori <rnori at redhat.com>
Gerrit-Reviewer: gerrit-hooks <automation at ovirt.org>

More information about the Engine-commits mailing list