Task #3201 (new)
Opened 14 years ago
Last modified 13 years ago
BUG: User cannot change password — at Version 2
Reported by: | atarkowska | Owned by: | jamoore |
---|---|---|---|
Priority: | minor | Milestone: | OMERO-Beta4.2.1 |
Component: | Services | Version: | n.a. |
Keywords: | n.a. | Cc: | jburel, cneves |
Resources: | n.a. | Referenced By: | n.a. |
References: | n.a. | Remaining Time: | n.a. |
Sprint: | 2010-11-11 (19) |
Description (last modified by jmoore)
Request Method: POST Request URL: http://localhost:8000/webadmin/myaccount/save/ Exception Type: SecurityViolation Exception Value: exception ::omero::SecurityViolation { serverStackTrace = ome.conditions.SecurityViolation: Bad authentication credentials for this action at ome.security.basic.BasicMethodSecurity.checkMethod(BasicMethodSecurity.java:130) at ome.security.basic.BasicSecurityWiring.invoke(BasicSecurityWiring.java:78) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at ome.services.blitz.fire.AopContextInitializer.invoke(AopContextInitializer.java:40) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202) at $Proxy66.changePassword(Unknown Source) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:592) at ome.services.blitz.util.IceMethodInvoker.invoke(IceMethodInvoker.java:179) at ome.services.throttling.Callback.run(Callback.java:56) at ome.services.throttling.InThreadThrottlingStrategy.callInvokerOnRawArgs(InThreadThrottlingStrategy.java:56) at ome.services.blitz.impl.AbstractAmdServant.callInvokerOnRawArgs(AbstractAmdServant.java:136) at ome.services.blitz.impl.AdminI.changePassword_async(AdminI.java:133) at omero.api._IAdminTie.changePassword_async(_IAdminTie.java:106) at omero.api._IAdminDisp.___changePassword(_IAdminDisp.java:1245) at omero.api._IAdminDisp.__dispatch(_IAdminDisp.java:1467) at IceInternal.Incoming.invoke(Incoming.java:159) at Ice.ConnectionI.invokeAll(ConnectionI.java:2037) at Ice.ConnectionI.message(ConnectionI.java:972) at IceInternal.ThreadPool.run(ThreadPool.java:577) at IceInternal.ThreadPool.access$100(ThreadPool.java:12) at IceInternal.ThreadPool$EventHandlerThread.run(ThreadPool.java:971) serverExceptionClass = ome.conditions.SecurityViolation message = Bad authentication credentials for this action } Exception Location: /Users/ola/Dev/omero/dist/lib/python/omero_api_IAdmin_ice.py in changePassword, line 350
Change History (2)
comment:1 Changed 14 years ago by jmoore
comment:2 Changed 14 years ago by jmoore
- Cc jburel added
- Description modified (diff)
Ola, sorry, the issue with the second omero.client is another problem you might run into (see the first comment of #2099). #911 says that a user can only call changePassword if the session that they got the IAdmin instance from was created using a real password and not joinSession(). Otherwise an attacker could:
- sniff a session uuid from the wire (which will eventually timeout)
- login with the session uuid
- call changePassword
- start creating new sessions with the new password
I realize that in the web scenario N-1 of the workers will have been authenticated with a session uuid, so if you receive a SecurityViolation you will need to re-authenticate, or create a temporary SSL-based omero.client with the real password.
There are currently no TestingScenarios dealing with passwords, so I added #3202.
Ola, this is because you are not using a secure connection to pass the password. See #911 for the background and we can discuss when you're ready. In Insight, a second omero.client is kept for making these calls.