Change in ovirt-engine[ovirt-engine-4.0]: aaa: Request state does not match session state after succes...

piotr.kliczewski at gmail.com piotr.kliczewski at gmail.com
Fri Aug 19 10:56:24 UTC 2016 

Piotr Kliczewski has submitted this change and it was merged.

Change subject: aaa: Request state does not match session state after successful login
......................................................................


aaa: Request state does not match session state after successful login

Fix the usability issues with mismatched
session state when the login screen session
has expired.

The client id and client secret with the
redirect uri check should be sufficient
security check, session "state" which is
a random string and was passed between sso
and engine as an additional level of security
can be dropped with out any security threats.

Change-Id: I9874c007e2d3382bbcdc8a280302306e2e6dc601
Bug-Url: https://bugzilla.redhat.com/1367921
Signed-off-by: Ravi Nori <rnori at redhat.com>
---
M backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/SsoUtils.java
M backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/servlet/SsoLoginServlet.java
M backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/servlet/SsoPostLoginServlet.java
M backend/manager/modules/enginesso/src/main/java/org/ovirt/engine/core/sso/servlets/OAuthAuthorizeServlet.java
M backend/manager/modules/enginesso/src/main/java/org/ovirt/engine/core/sso/utils/SsoConstants.java
M backend/manager/modules/enginesso/src/main/java/org/ovirt/engine/core/sso/utils/SsoSession.java
M backend/manager/modules/enginesso/src/main/java/org/ovirt/engine/core/sso/utils/SsoUtils.java
M backend/manager/modules/enginesso/src/main/webapp/WEB-INF/login.jsp
M backend/manager/modules/welcome/src/main/java/org/ovirt/engine/core/LoginServlet.java
M backend/manager/modules/welcome/src/main/java/org/ovirt/engine/core/OAuthCallbackServlet.java
M backend/manager/modules/welcome/src/main/java/org/ovirt/engine/core/WelcomeServlet.java
M backend/manager/modules/welcome/src/main/java/org/ovirt/engine/core/WelcomeUtils.java
12 files changed, 9 insertions(+), 60 deletions(-)

Approvals:
  Martin Peřina: Looks good to me, approved
  Ravi Nori: Verified
  Jenkins CI: Passed CI tests



-- 
To view, visit https://gerrit.ovirt.org/62582
To unsubscribe, visit https://gerrit.ovirt.org/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I9874c007e2d3382bbcdc8a280302306e2e6dc601
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-engine
Gerrit-Branch: ovirt-engine-4.0
Gerrit-Owner: Ravi Nori <rnori at redhat.com>
Gerrit-Reviewer: Jenkins CI
Gerrit-Reviewer: Martin Peřina <mperina at redhat.com>
Gerrit-Reviewer: Piotr Kliczewski <piotr.kliczewski at gmail.com>
Gerrit-Reviewer: Ravi Nori <rnori at redhat.com>
Gerrit-Reviewer: Tal Nisan <tnisan at redhat.com>
Gerrit-Reviewer: gerrit-hooks <automation at ovirt.org>

More information about the Engine-commits mailing list