<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
The reason why you are prompted to log in is the following exception thrown in <span style="color: rgb(121, 93, 163); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);">AuthorizationEndpoint</span>:authorize
<div><br>
</div>
<div>
<div><span class="pl-k" style="box-sizing: border-box; color: rgb(167, 29, 93); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);">if</span><span style="color: rgb(51, 51, 51); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);">
(</span><span class="pl-k" style="box-sizing: border-box; color: rgb(167, 29, 93); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);">!</span><span style="color: rgb(51, 51, 51); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);">(principal
</span><span class="pl-k" style="box-sizing: border-box; color: rgb(167, 29, 93); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);">instanceof</span><span style="color: rgb(51, 51, 51); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);">
</span><span class="pl-smi" style="box-sizing: border-box; color: rgb(51, 51, 51); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);">Authentication</span><span style="color: rgb(51, 51, 51); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);">)
</span><span class="pl-k" style="box-sizing: border-box; color: rgb(167, 29, 93); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);">||</span><span style="color: rgb(51, 51, 51); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);">
</span><span class="pl-k" style="box-sizing: border-box; color: rgb(167, 29, 93); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);">!</span><span style="color: rgb(51, 51, 51); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);">((</span><span class="pl-smi" style="box-sizing: border-box; color: rgb(51, 51, 51); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);">Authentication</span><span style="color: rgb(51, 51, 51); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);">)
principal)</span><span class="pl-k" style="box-sizing: border-box; color: rgb(167, 29, 93); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);">.</span><span style="color: rgb(51, 51, 51); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);">isAuthenticated())
{</span></div>
<div><span class="pl-k" style="box-sizing: border-box; color: rgb(167, 29, 93); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);">throw</span><span style="color: rgb(51, 51, 51); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);">
</span><span class="pl-k" style="box-sizing: border-box; color: rgb(167, 29, 93); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);">new</span><span style="color: rgb(51, 51, 51); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);">
</span><span class="pl-smi" style="box-sizing: border-box; color: rgb(51, 51, 51); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);">InsufficientAuthenticationException</span><span style="color: rgb(51, 51, 51); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);">(</span></div>
<div><span class="pl-s" style="box-sizing: border-box; color: rgb(24, 54, 145); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);"><span class="pl-pds" style="box-sizing: border-box;">"</span>User
must be authenticated with Spring Security before authorization can be completed.<span class="pl-pds" style="box-sizing: border-box;">"</span></span><span style="color: rgb(51, 51, 51); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);">);</span></div>
<div><span style="color: rgb(51, 51, 51); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);">}</span></div>
<div><span style="color: rgb(51, 51, 51); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);"><br>
</span></div>
<div><span style="color: rgb(51, 51, 51); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);"><br>
</span></div>
<div>If a user is not authenticated at all, then principal equals to null and exception is generated. Then this exception in intercepted by ExceptionTranslator and the user is forced to log in. However, if principal is already somehow authenticated this check
passes. This check does not require for user to be authenticated with authority ROLE_USER.</div>
<div><br>
</div>
<div>I suggest to debug this code to better understand the issue.</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Zhanna</div>
<div> <br>
<div>
<div>On Aug 21, 2015, at 9:43 AM, Justin Richer <<a href="mailto:jricher@MIT.EDU">jricher@MIT.EDU</a>> wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
I am unable to replicate the exploit. Even when the client has been whitelisted, when going to the authorization endpoint, I am prompted to log in. I am unable to generate a token from an unauthenticated user, and so I don’t believe this is a security issue.
<div class=""><br class="">
</div>
<div class=""> — Justin</div>
<div class=""><br class="">
<div>
<blockquote type="cite" class="">
<div class="">On Aug 21, 2015, at 9:30 AM, Zhanna Tsitkov <<a href="mailto:tsitkova@mit.edu" class="">tsitkova@mit.edu</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<font color="#232323" class="">Justin,</font>
<div class=""><font color="#232323" class="">While debugging workflow related to authorization code request </font><span style="color: rgb(35, 35, 35);" class="">I found that authorization EP provided by Spring Security OAuth2 (</span><span style="color: rgb(35, 35, 35);" class="">org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint)
</span><font color="#232323" class="">namespace is not protected as it’s supposed. I was able to enter this EP without any authentication. </font><span style="color: rgb(35, 35, 35);" class="">Section "</span><span style="color: rgb(35, 35, 35); line-height: 1.43;" class="">Configuring
the Endpoint URL“ of </span><span style="color: rgb(35, 35, 35); line-height: 25px;" class="">“</span><font color="#232323" class=""><span style="line-height: 1.43;" class="">OAuth 2 Developer Guide</span><span style="line-height: 25px;" class="">”</span><span style="line-height: 1.43;" class=""> states
</span></font><font color="#232323" class="">(See <a href="https://github.com/spring-projects/spring-security-oauth/blob/master/docs/oauth2.md" class="">https://github.com/spring-projects/spring-security-oauth/blob/master/docs/oauth2.md</a>)</font><span style="color: rgb(35, 35, 35);" class="">:
“</span><span style="color: rgb(35, 35, 35); background-color: rgb(255, 255, 255); line-height: 25px;" class="">N.B.</span><span style="color: rgb(35, 35, 35); background-color: rgb(255, 255, 255); line-height: 25px;" class=""> </span><span style="color: rgb(35, 35, 35);" class="">T</span><span style="color: rgb(35, 35, 35); line-height: 25px; background-color: rgb(255, 255, 255);" class="">he
Authorization endpoint </span><code style="color: rgb(35, 35, 35); box-sizing: border-box; padding: 0.2em 0px; margin: 0px; background-color: rgba(0, 0, 0, 0.0392157); border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px;" class="">/oauth/authorize</code><span style="color: rgb(35, 35, 35); line-height: 25px; background-color: rgb(255, 255, 255);" class=""> (or
its mapped alternative) should be protected using Spring Security so that it is only accessible to authenticated users.</span><span style="color: rgb(35, 35, 35); line-height: 25px;" class="">“. The example provided in the document implies that the endpoint
must be protected from outside by the Spring Security framework.</span></div>
<div class="">
<div class=""><span style="color: rgb(35, 35, 35); line-height: 25px; background-color: rgb(255, 255, 255);" class="">There is some sort of protection </span><span style="color: rgb(35, 35, 35); line-height: 25px;" class="">within the endpoint itself, but it certainly
does not require ROLE_USER authority as you suggested previously. I was able to pass internal security check using different role. </span></div>
<div class=""><span style="color: rgb(35, 35, 35); line-height: 25px;" class="">On the other hand, the other OAuth2 endpoint responsible for user approval process </span><span style="color: rgb(35, 35, 35);" class="">"/oauth/confirm_access” is protected as
expected. </span></div>
<div class=""><font color="#232323" class="">Thus, this endpoint mitigate the lack of proper security for authorize endpoint. But, it seems to me that for white-listed clients it does not matter. </font></div>
<div class=""><font color="#232323" class=""><br class="">
</font></div>
<div class=""><font color="#232323" class="">In my opinion it is a security issue of MitreID Connect.</font></div>
<div class=""><br class="">
</div>
<div class=""><span style="color: rgb(35, 35, 35);" class="">Thanks,</span></div>
<div class=""><font color="#232323" class="">Zhanna</font></div>
<div class=""><br class="">
</div>
<div class="">
<div class="">On Aug 20, 2015, at 4:48 PM, Justin Richer <<a href="mailto:jricher@MIT.EDU" class="">jricher@MIT.EDU</a>> wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite" class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
I suggest reading the documentation for Spring Security and Spring Security OAuth.
<div class=""><br class="">
</div>
<div class=""> — Justin</div>
<div class=""><br class="">
<div class="">
<blockquote type="cite" class="">
<div class="">On Aug 20, 2015, at 10:21 AM, Zhanna Tsitkov <<a href="mailto:tsitkova@mit.edu" class="">tsitkova@mit.edu</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
ok. Sounds good. Can you please point to a particular place where this is implemented.
<div class=""><br class="">
</div>
<div class="">Thanks,</div>
<div class="">Zhanna<br class="">
<div class=""><br class="">
<div class="">
<div class="">On Aug 20, 2015, at 10:14 AM, Justin Richer <<a href="mailto:jricher@mit.edu" class="">jricher@mit.edu</a>> wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite" class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
The rest of Spring Security, which is configured throughout the code, outside the XML. Specifically, the authorization endpoint requires ROLE_USER to access.
<div class=""><br class="">
</div>
<div class=""> — Justin</div>
<div class=""><br class="">
<div class="">
<blockquote type="cite" class="">
<div class="">On Aug 20, 2015, at 10:04 AM, Zhanna Tsitkov <<a href="mailto:tsitkova@mit.edu" class="">tsitkova@mit.edu</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
In this block access intercept is set to permitAll: <span style="color: rgb(51, 51, 51); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);" class=""><</span><span class="pl-ent" style="box-sizing: border-box; color: rgb(99, 163, 92); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);">security</span><span class="pl-ent" style="box-sizing: border-box; color: rgb(99, 163, 92); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);">:</span><span class="pl-ent" style="box-sizing: border-box; color: rgb(99, 163, 92); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);">intercept-url</span><span style="color: rgb(51, 51, 51); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);" class="">
</span><span class="pl-e" style="box-sizing: border-box; color: rgb(121, 93, 163); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);">pattern</span><span style="color: rgb(51, 51, 51); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);" class="">=</span><span class="pl-s" style="box-sizing: border-box; color: rgb(24, 54, 145); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);"><span class="pl-pds" style="box-sizing: border-box;">"</span>/**<span class="pl-pds" style="box-sizing: border-box;">"</span></span><span style="color: rgb(51, 51, 51); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);" class="">
</span><span class="pl-e" style="box-sizing: border-box; color: rgb(121, 93, 163); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);">access</span><span style="color: rgb(51, 51, 51); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);" class="">=</span><span class="pl-s" style="box-sizing: border-box; color: rgb(24, 54, 145); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);"><span class="pl-pds" style="box-sizing: border-box;">"</span>permitAll<span class="pl-pds" style="box-sizing: border-box;">"</span></span><span style="color: rgb(51, 51, 51); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);" class="">
/></span>
<div class="">What mechanism is used to protect this EP? </div>
<div class=""><br class="">
</div>
<div class="">Thanks,</div>
<div class="">Zhanna</div>
<div class=""><br class="">
<div class="">
<div class="">
<div class="">On Aug 20, 2015, at 9:47 AM, Justin Richer <<a href="mailto:jricher@MIT.EDU" class="">jricher@MIT.EDU</a>> wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite" class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
As it says in the paragraph of documentation that you quoted below, it’s protected the same way that the rest of the UI is protected. This is handled in the main <security:http> block in user-context.xml.
<div class=""><br class="">
</div>
<div class=""> — Justin</div>
<div class=""><br class="">
<div class="">
<blockquote type="cite" class="">
<div class="">On Aug 20, 2015, at 9:45 AM, Zhanna Tsitkov <<a href="mailto:tsitkova@mit.edu" class="">tsitkova@mit.edu</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<font color="#232323" class="">Hi,</font>
<div class=""><font color="#232323" class="">According to the documentation for <span style="background-color: rgb(255, 255, 255); line-height: 18px; white-space: pre;" class="">configure method of
</span> <span class="pl-en" style="line-height: 18px; white-space: pre; background-color: rgb(255, 255, 255); box-sizing: border-box;">AuthorizationServerConfigurer
</span><span class="pl-k" style="line-height: 18px; white-space: pre; background-color: rgb(255, 255, 255); box-sizing: border-box;">interface</span><span style="line-height: 18px; white-space: pre; background-color: rgb(255, 255, 255);" class="">
</span></font></div>
<div class=""><span style="color: rgb(51, 51, 51); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; line-height: 18px; white-space: pre; background-color: rgb(255, 255, 255);" class="">"</span></div>
<br class="">
<table class="tab-size highlight js-file-line-container" data-tab-size="8" style="box-sizing: border-box; border-collapse: collapse; border-spacing: 0px; tab-size: 8; color: rgb(51, 51, 51); font-family: Helvetica, arial, nimbussansl, liberationsans, freesans, clean, sans-serif, 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 13px; line-height: 18px; background-color: rgb(255, 255, 255); position: static; z-index: auto;">
<tbody style="box-sizing: border-box;" class="">
<tr style="box-sizing: border-box;" class="">
<td id="LC32" class="js-file-line blob-code-inner blob-code" style="box-sizing: border-box; padding: 0px 10px; position: relative; vertical-align: top; font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; white-space: pre; overflow: visible; word-wrap: normal;">
<br class="">
</td>
</tr>
<tr style="box-sizing: border-box;" class="">
<td id="L33" class="blob-num js-line-number" data-line-number="33" style="box-sizing: border-box; padding: 0px 10px; width: 50px; min-width: 50px; white-space: nowrap; font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; vertical-align: top; text-align: right; border-style: solid; border-color: rgb(238, 238, 238); border-width: 0px 1px 0px 0px; cursor: pointer; -webkit-user-select: none;">
</td>
<td id="LC33" class="js-file-line blob-code-inner blob-code" style="box-sizing: border-box; padding: 0px 10px; position: relative; vertical-align: top; font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; white-space: pre; overflow: visible; word-wrap: normal;">
<span class="pl-c" style="box-sizing: border-box; color: rgb(150, 152, 150);">* The /oauth/authorize endpoint also needs to be secure, but that is a normal user-facing endpoint and should be</span></td>
</tr>
<tr style="box-sizing: border-box;" class="">
<td id="L34" class="blob-num js-line-number" data-line-number="34" style="box-sizing: border-box; padding: 0px 10px; width: 50px; min-width: 50px; white-space: nowrap; font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; vertical-align: top; text-align: right; border-style: solid; border-color: rgb(238, 238, 238); border-width: 0px 1px 0px 0px; cursor: pointer; -webkit-user-select: none;">
</td>
<td id="LC34" class="js-file-line blob-code-inner blob-code" style="box-sizing: border-box; padding: 0px 10px; position: relative; vertical-align: top; font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; white-space: pre; overflow: visible; word-wrap: normal;">
<span class="pl-c" style="box-sizing: border-box; color: rgb(150, 152, 150);">* secured the same way as the rest of your UI, so is not covered here. The default settings cover the most common</span></td>
</tr>
<tr style="box-sizing: border-box;" class="">
<td id="L35" class="blob-num js-line-number" data-line-number="35" style="box-sizing: border-box; padding: 0px 10px; width: 50px; min-width: 50px; white-space: nowrap; font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; vertical-align: top; text-align: right; border-style: solid; border-color: rgb(238, 238, 238); border-width: 0px 1px 0px 0px; cursor: pointer; -webkit-user-select: none;">
</td>
<td id="LC35" class="js-file-line blob-code-inner blob-code" style="box-sizing: border-box; padding: 0px 10px; position: relative; vertical-align: top; font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; white-space: pre; overflow: visible; word-wrap: normal;">
<span class="pl-c" style="box-sizing: border-box; color: rgb(150, 152, 150);">* requirements, following recommendations from the OAuth2 spec, so you don't need to do anything here to get a</span></td>
</tr>
<tr style="box-sizing: border-box;" class="">
<td id="L36" class="blob-num js-line-number" data-line-number="36" style="box-sizing: border-box; padding: 0px 10px; width: 50px; min-width: 50px; white-space: nowrap; font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; vertical-align: top; text-align: right; border-style: solid; border-color: rgb(238, 238, 238); border-width: 0px 1px 0px 0px; cursor: pointer; -webkit-user-select: none;">
</td>
<td id="LC36" class="js-file-line blob-code-inner blob-code" style="box-sizing: border-box; padding: 0px 10px; position: relative; vertical-align: top; font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; white-space: pre; overflow: visible; word-wrap: normal;">
<span class="pl-c" style="box-sizing: border-box; color: rgb(150, 152, 150);">* basic server up and running.</span></td>
</tr>
</tbody>
</table>
<div class="">"</div>
<div class="">In MitreID Connect it looks like this EP is not explicitly protected. How it is done? </div>
<div class="">Thanks,</div>
<div class="">Zhanna</div>
</div>
_______________________________________________<br class="">
mitreid-connect mailing list<br class="">
<a href="mailto:mitreid-connect@mit.edu" class="">mitreid-connect@mit.edu</a><br class="">
<a href="http://mailman.mit.edu/mailman/listinfo/mitreid-connect" class="">http://mailman.mit.edu/mailman/listinfo/mitreid-connect</a><br class="">
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</body>
</html>