Ticket #366 (closed task: fixed)
[S] Securing http redirects
Reported by: | pjkersha | Owned by: | pjkersha |
---|---|---|---|
Priority: | critical | Milestone: | PROD Final |
Component: | security | Version: | |
Keywords: | security, redirects, cross domain cookie | Cc: |
Description
SecurityCGI uses a system of http redirects to allow a site requesting user credentials to forward to the user's login page. The login page passes back cookie credentials to the requestor but a mechanism is needed to validate that the requesting site is a valid NDG one and not an attacker masquerading.
The re-directs are done over https so that traffic is encrypted. There may be a way of checking the originating by checking certificate of the requestor?
Change History
comment:2 Changed 15 years ago by pjkersha
- Milestone changed from PostAlpha_review to SystemIntegrationOctober2006
comment:3 Changed 14 years ago by pjkersha
- Milestone changed from SystemIntegrationOctober2006 to PreBeta
Move to PreBeta?.
HTTP redirects are not likely to be needed for DEWS as in the marine and health stream demonstration cases users login to a single portal site.
comment:4 Changed 14 years ago by selatham
- Milestone changed from BETA to PROD Final
Is this still an issue?
comment:5 Changed 14 years ago by pjkersha
- Status changed from assigned to closed
- Resolution set to fixed
This has been resolved using https. The requesting site passes the Login Service a https URL to return to. The Login Service tests this connection verifying the SSL certificate provided by the requesting site. If the certificate verifies and has a known DN then transmission of the credentials from Login Service to requester can proceed.
The Attribute Authority map config has been extended to include a DN for each trusted hosts. The Login Service uses this to check which DNs are acceptable for sites requesting credentials.