Task #3201 (new)
Opened 14 years ago
Last modified 13 years ago
BUG: User cannot change password — at Version 2
| Reported by: | atarkowska | Owned by: | jamoore |
|---|---|---|---|
| Priority: | minor | Milestone: | OMERO-Beta4.2.1 |
| Component: | Services | Version: | n.a. |
| Keywords: | n.a. | Cc: | jburel, cneves |
| Resources: | n.a. | Referenced By: | n.a. |
| References: | n.a. | Remaining Time: | n.a. |
| Sprint: | 2010-11-11 (19) |
Description (last modified by jmoore)
Request Method: POST
Request URL: http://localhost:8000/webadmin/myaccount/save/
Exception Type: SecurityViolation
Exception Value:
exception ::omero::SecurityViolation
{
serverStackTrace = ome.conditions.SecurityViolation: Bad authentication credentials for this action
at ome.security.basic.BasicMethodSecurity.checkMethod(BasicMethodSecurity.java:130)
at ome.security.basic.BasicSecurityWiring.invoke(BasicSecurityWiring.java:78)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at ome.services.blitz.fire.AopContextInitializer.invoke(AopContextInitializer.java:40)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
at $Proxy66.changePassword(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:592)
at ome.services.blitz.util.IceMethodInvoker.invoke(IceMethodInvoker.java:179)
at ome.services.throttling.Callback.run(Callback.java:56)
at ome.services.throttling.InThreadThrottlingStrategy.callInvokerOnRawArgs(InThreadThrottlingStrategy.java:56)
at ome.services.blitz.impl.AbstractAmdServant.callInvokerOnRawArgs(AbstractAmdServant.java:136)
at ome.services.blitz.impl.AdminI.changePassword_async(AdminI.java:133)
at omero.api._IAdminTie.changePassword_async(_IAdminTie.java:106)
at omero.api._IAdminDisp.___changePassword(_IAdminDisp.java:1245)
at omero.api._IAdminDisp.__dispatch(_IAdminDisp.java:1467)
at IceInternal.Incoming.invoke(Incoming.java:159)
at Ice.ConnectionI.invokeAll(ConnectionI.java:2037)
at Ice.ConnectionI.message(ConnectionI.java:972)
at IceInternal.ThreadPool.run(ThreadPool.java:577)
at IceInternal.ThreadPool.access$100(ThreadPool.java:12)
at IceInternal.ThreadPool$EventHandlerThread.run(ThreadPool.java:971)
serverExceptionClass = ome.conditions.SecurityViolation
message = Bad authentication credentials for this action
}
Exception Location: /Users/ola/Dev/omero/dist/lib/python/omero_api_IAdmin_ice.py in changePassword, line 350
Change History (2)
comment:1 Changed 14 years ago by jmoore
comment:2 Changed 14 years ago by jmoore
- Cc jburel added
- Description modified (diff)
Ola, sorry, the issue with the second omero.client is another problem you might run into (see the first comment of #2099). #911 says that a user can only call changePassword if the session that they got the IAdmin instance from was created using a real password and not joinSession(). Otherwise an attacker could:
- sniff a session uuid from the wire (which will eventually timeout)
- login with the session uuid
- call changePassword
- start creating new sessions with the new password
I realize that in the web scenario N-1 of the workers will have been authenticated with a session uuid, so if you receive a SecurityViolation you will need to re-authenticate, or create a temporary SSL-based omero.client with the real password.
There are currently no TestingScenarios dealing with passwords, so I added #3202.
Note: See
TracTickets for help on using
tickets.
You may also have a look at Agilo extensions to the ticket.
Ola, this is because you are not using a secure connection to pass the password. See #911 for the background and we can discuss when you're ready. In Insight, a second omero.client is kept for making these calls.