Ticket #366 (closed task: fixed)

Opened 15 years ago

Last modified 14 years ago

[S] Securing http redirects

Reported by: pjkersha Owned by: pjkersha
Priority: critical Milestone: PROD Final
Component: security Version:
Keywords: security, redirects, cross domain cookie Cc:


SecurityCGI uses a system of http redirects to allow a site requesting user credentials to forward to the user's login page. The login page passes back cookie credentials to the requestor but a mechanism is needed to validate that the requesting site is a valid NDG one and not an attacker masquerading.

The re-directs are done over https so that traffic is encrypted. There may be a way of checking the originating by checking certificate of the requestor?

Change History

comment:1 Changed 15 years ago by pjkersha

  • Status changed from new to assigned

comment:2 Changed 15 years ago by pjkersha

  • Milestone changed from PostAlpha_review to SystemIntegrationOctober2006

comment:3 Changed 15 years ago by pjkersha

  • Milestone changed from SystemIntegrationOctober2006 to PreBeta

Move to PreBeta?.

HTTP redirects are not likely to be needed for DEWS as in the marine and health stream demonstration cases users login to a single portal site.

comment:4 Changed 14 years ago by selatham

  • Milestone changed from BETA to PROD Final

Is this still an issue?

comment:5 Changed 14 years ago by pjkersha

  • Status changed from assigned to closed
  • Resolution set to fixed

This has been resolved using https. The requesting site passes the Login Service a https URL to return to. The Login Service tests this connection verifying the SSL certificate provided by the requesting site. If the certificate verifies and has a known DN then transmission of the credentials from Login Service to requester can proceed.

The Attribute Authority map config has been extended to include a DN for each trusted hosts. The Login Service uses this to check which DNs are acceptable for sites requesting credentials.

Note: See TracTickets for help on using tickets.