<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<font color="#232323">Justin,</font>
<div><font color="#232323">While debugging workflow related to authorization code request </font><span style="color: rgb(35, 35, 35);">I found that authorization EP provided by Spring Security OAuth2 (</span><span style="color: rgb(35, 35, 35);">org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint)
</span><font color="#232323">namespace is not protected as it’s supposed. I was able to enter this EP without any authentication. </font><span style="color: rgb(35, 35, 35);">Section "</span><span style="color: rgb(35, 35, 35); line-height: 1.43;">Configuring
the Endpoint URL“ of </span><span style="color: rgb(35, 35, 35); line-height: 25px;">“</span><font color="#232323"><span style="line-height: 1.43;">OAuth 2 Developer Guide</span><span style="line-height: 25px;">”</span><span style="line-height: 1.43;"> states
</span></font><font color="#232323">(See <a href="https://github.com/spring-projects/spring-security-oauth/blob/master/docs/oauth2.md">https://github.com/spring-projects/spring-security-oauth/blob/master/docs/oauth2.md</a>)</font><span style="color: rgb(35, 35, 35);">:
“</span><span style="color: rgb(35, 35, 35); background-color: rgb(255, 255, 255); line-height: 25px;">N.B.</span><span style="color: rgb(35, 35, 35); background-color: rgb(255, 255, 255); line-height: 25px;"> </span><span style="color: rgb(35, 35, 35);">T</span><span style="color: rgb(35, 35, 35); line-height: 25px; background-color: rgb(255, 255, 255);">he
Authorization endpoint </span><code style="color: rgb(35, 35, 35); box-sizing: border-box; padding: 0.2em 0px; margin: 0px; background-color: rgba(0, 0, 0, 0.0392157); border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px;">/oauth/authorize</code><span style="color: rgb(35, 35, 35); line-height: 25px; background-color: rgb(255, 255, 255);"> (or
its mapped alternative) should be protected using Spring Security so that it is only accessible to authenticated users.</span><span style="color: rgb(35, 35, 35); line-height: 25px;">“. The example provided in the document implies that the endpoint must be
protected from outside by the Spring Security framework.</span></div>
<div>
<div><span style="color: rgb(35, 35, 35); line-height: 25px; background-color: rgb(255, 255, 255);">There is some sort of protection </span><span style="color: rgb(35, 35, 35); line-height: 25px;">within the endpoint itself, but it certainly does not require
ROLE_USER authority as you suggested previously. I was able to pass internal security check using different role. </span></div>
<div><span style="color: rgb(35, 35, 35); line-height: 25px;">On the other hand, the other OAuth2 endpoint responsible for user approval process </span><span style="color: rgb(35, 35, 35);">"/oauth/confirm_access” is protected as expected. </span></div>
<div><font color="#232323">Thus, this endpoint mitigate the lack of proper security for authorize endpoint. But, it seems to me that for white-listed clients it does not matter. </font></div>
<div><font color="#232323"><br>
</font></div>
<div><font color="#232323">In my opinion it is a security issue of MitreID Connect.</font></div>
<div><br>
</div>
<div><span style="color: rgb(35, 35, 35);">Thanks,</span></div>
<div><font color="#232323">Zhanna</font></div>
<div><br>
</div>
<div>
<div>On Aug 20, 2015, at 4:48 PM, Justin Richer <<a href="mailto:jricher@MIT.EDU">jricher@MIT.EDU</a>> wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
I suggest reading the documentation for Spring Security and Spring Security OAuth.
<div class=""><br class="">
</div>
<div class=""> — Justin</div>
<div class=""><br class="">
<div>
<blockquote type="cite" class="">
<div class="">On Aug 20, 2015, at 10:21 AM, Zhanna Tsitkov <<a href="mailto:tsitkova@mit.edu" class="">tsitkova@mit.edu</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
ok. Sounds good. Can you please point to a particular place where this is implemented.
<div class=""><br class="">
</div>
<div class="">Thanks,</div>
<div class="">Zhanna<br class="">
<div class=""><br class="">
<div class="">
<div class="">On Aug 20, 2015, at 10:14 AM, Justin Richer <<a href="mailto:jricher@mit.edu" class="">jricher@mit.edu</a>> wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite" class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
The rest of Spring Security, which is configured throughout the code, outside the XML. Specifically, the authorization endpoint requires ROLE_USER to access.
<div class=""><br class="">
</div>
<div class=""> — Justin</div>
<div class=""><br class="">
<div class="">
<blockquote type="cite" class="">
<div class="">On Aug 20, 2015, at 10:04 AM, Zhanna Tsitkov <<a href="mailto:tsitkova@mit.edu" class="">tsitkova@mit.edu</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
In this block access intercept is set to permitAll: <span style="color: rgb(51, 51, 51); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);" class=""><</span><span class="pl-ent" style="box-sizing: border-box; color: rgb(99, 163, 92); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);">security</span><span class="pl-ent" style="box-sizing: border-box; color: rgb(99, 163, 92); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);">:</span><span class="pl-ent" style="box-sizing: border-box; color: rgb(99, 163, 92); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);">intercept-url</span><span style="color: rgb(51, 51, 51); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);" class="">
</span><span class="pl-e" style="box-sizing: border-box; color: rgb(121, 93, 163); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);">pattern</span><span style="color: rgb(51, 51, 51); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);" class="">=</span><span class="pl-s" style="box-sizing: border-box; color: rgb(24, 54, 145); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);"><span class="pl-pds" style="box-sizing: border-box;">"</span>/**<span class="pl-pds" style="box-sizing: border-box;">"</span></span><span style="color: rgb(51, 51, 51); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);" class="">
</span><span class="pl-e" style="box-sizing: border-box; color: rgb(121, 93, 163); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);">access</span><span style="color: rgb(51, 51, 51); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);" class="">=</span><span class="pl-s" style="box-sizing: border-box; color: rgb(24, 54, 145); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);"><span class="pl-pds" style="box-sizing: border-box;">"</span>permitAll<span class="pl-pds" style="box-sizing: border-box;">"</span></span><span style="color: rgb(51, 51, 51); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);" class="">
/></span>
<div class="">What mechanism is used to protect this EP? </div>
<div class=""><br class="">
</div>
<div class="">Thanks,</div>
<div class="">Zhanna</div>
<div class=""><br class="">
<div class="">
<div class="">
<div class="">On Aug 20, 2015, at 9:47 AM, Justin Richer <<a href="mailto:jricher@MIT.EDU" class="">jricher@MIT.EDU</a>> wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite" class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
As it says in the paragraph of documentation that you quoted below, it’s protected the same way that the rest of the UI is protected. This is handled in the main <security:http> block in user-context.xml.
<div class=""><br class="">
</div>
<div class=""> — Justin</div>
<div class=""><br class="">
<div class="">
<blockquote type="cite" class="">
<div class="">On Aug 20, 2015, at 9:45 AM, Zhanna Tsitkov <<a href="mailto:tsitkova@mit.edu" class="">tsitkova@mit.edu</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<font color="#232323" class="">Hi,</font>
<div class=""><font color="#232323" class="">According to the documentation for <span style="background-color: rgb(255, 255, 255); line-height: 18px; white-space: pre;" class="">configure method of
</span> <span class="pl-en" style="line-height: 18px; white-space: pre; background-color: rgb(255, 255, 255); box-sizing: border-box;">AuthorizationServerConfigurer
</span><span class="pl-k" style="line-height: 18px; white-space: pre; background-color: rgb(255, 255, 255); box-sizing: border-box;">interface</span><span style="line-height: 18px; white-space: pre; background-color: rgb(255, 255, 255);" class="">
</span></font></div>
<div class=""><span style="color: rgb(51, 51, 51); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; line-height: 18px; white-space: pre; background-color: rgb(255, 255, 255);" class="">"</span></div>
<br class="">
<table class="tab-size js-file-line-container highlight" data-tab-size="8" style="box-sizing: border-box; border-collapse: collapse; border-spacing: 0px; tab-size: 8; color: rgb(51, 51, 51); font-family: Helvetica, arial, nimbussansl, liberationsans, freesans, clean, sans-serif, 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 13px; line-height: 18px; background-color: rgb(255, 255, 255); position: static; z-index: auto;">
<tbody style="box-sizing: border-box;" class="">
<tr style="box-sizing: border-box;" class="">
<td id="LC32" class="js-file-line blob-code-inner blob-code" style="box-sizing: border-box; padding: 0px 10px; position: relative; vertical-align: top; font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; white-space: pre; overflow: visible; word-wrap: normal;">
<br class="">
</td>
</tr>
<tr style="box-sizing: border-box;" class="">
<td id="L33" class="blob-num js-line-number" data-line-number="33" style="box-sizing: border-box; padding: 0px 10px; width: 50px; min-width: 50px; white-space: nowrap; font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; vertical-align: top; text-align: right; border-style: solid; border-color: rgb(238, 238, 238); border-width: 0px 1px 0px 0px; cursor: pointer; -webkit-user-select: none;">
</td>
<td id="LC33" class="js-file-line blob-code-inner blob-code" style="box-sizing: border-box; padding: 0px 10px; position: relative; vertical-align: top; font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; white-space: pre; overflow: visible; word-wrap: normal;">
<span class="pl-c" style="box-sizing: border-box; color: rgb(150, 152, 150);">* The /oauth/authorize endpoint also needs to be secure, but that is a normal user-facing endpoint and should be</span></td>
</tr>
<tr style="box-sizing: border-box;" class="">
<td id="L34" class="blob-num js-line-number" data-line-number="34" style="box-sizing: border-box; padding: 0px 10px; width: 50px; min-width: 50px; white-space: nowrap; font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; vertical-align: top; text-align: right; border-style: solid; border-color: rgb(238, 238, 238); border-width: 0px 1px 0px 0px; cursor: pointer; -webkit-user-select: none;">
</td>
<td id="LC34" class="js-file-line blob-code-inner blob-code" style="box-sizing: border-box; padding: 0px 10px; position: relative; vertical-align: top; font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; white-space: pre; overflow: visible; word-wrap: normal;">
<span class="pl-c" style="box-sizing: border-box; color: rgb(150, 152, 150);">* secured the same way as the rest of your UI, so is not covered here. The default settings cover the most common</span></td>
</tr>
<tr style="box-sizing: border-box;" class="">
<td id="L35" class="blob-num js-line-number" data-line-number="35" style="box-sizing: border-box; padding: 0px 10px; width: 50px; min-width: 50px; white-space: nowrap; font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; vertical-align: top; text-align: right; border-style: solid; border-color: rgb(238, 238, 238); border-width: 0px 1px 0px 0px; cursor: pointer; -webkit-user-select: none;">
</td>
<td id="LC35" class="js-file-line blob-code-inner blob-code" style="box-sizing: border-box; padding: 0px 10px; position: relative; vertical-align: top; font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; white-space: pre; overflow: visible; word-wrap: normal;">
<span class="pl-c" style="box-sizing: border-box; color: rgb(150, 152, 150);">* requirements, following recommendations from the OAuth2 spec, so you don't need to do anything here to get a</span></td>
</tr>
<tr style="box-sizing: border-box;" class="">
<td id="L36" class="blob-num js-line-number" data-line-number="36" style="box-sizing: border-box; padding: 0px 10px; width: 50px; min-width: 50px; white-space: nowrap; font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; vertical-align: top; text-align: right; border-style: solid; border-color: rgb(238, 238, 238); border-width: 0px 1px 0px 0px; cursor: pointer; -webkit-user-select: none;">
</td>
<td id="LC36" class="js-file-line blob-code-inner blob-code" style="box-sizing: border-box; padding: 0px 10px; position: relative; vertical-align: top; font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; white-space: pre; overflow: visible; word-wrap: normal;">
<span class="pl-c" style="box-sizing: border-box; color: rgb(150, 152, 150);">* basic server up and running.</span></td>
</tr>
</tbody>
</table>
<div class="">"</div>
<div class="">In MitreID Connect it looks like this EP is not explicitly protected. How it is done? </div>
<div class="">Thanks,</div>
<div class="">Zhanna</div>
</div>
_______________________________________________<br class="">
mitreid-connect mailing list<br class="">
<a href="mailto:mitreid-connect@mit.edu" class="">mitreid-connect@mit.edu</a><br class="">
<a href="http://mailman.mit.edu/mailman/listinfo/mitreid-connect" class="">http://mailman.mit.edu/mailman/listinfo/mitreid-connect</a><br class="">
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</blockquote>
</div>
<br>
</div>
</body>
</html>