acortes-okode commented on PR #16650: URL: https://github.com/apache/pulsar/pull/16650#issuecomment-1190027673
> > Anyways, I was trying to build it to test something I had in mind but maybe you could know it firsthand. The thing is, I'm not sure if `AuthenticationProviderToken#newHttpAuthState` is called for every HTTP request (correct me if I'm wrong) but, if it is, then I think one could manage to authenticate to other requests rather than the WebSocket one by using the `token` request query param (also not sure if this is intended). E.g. > > ```shell > > curl "http://localhost:8080/admin/v2/brokers/configuration?token=ASDFGH...."; > > ``` > > Good idea, I verified that it worked. Hi @nodece, thanks for checking that! Sorry since I think that I didn't expose correctly my concerns about that. They are regarding security, I think there is no other option than putting `token` information in the query param when there is a WebSocket request due to browser API limitations. But I think then that the `token` query param check should only be applied on WebSocket connection URIs (`/ws/` and `/ws/v2/`) and not the rest. Do not know if this could be addressed easily, maybe checking in the `AuthorizationProviderToken` for ws paths? I see references to this paths on `pulsar-websocket` classes: - [WebSocketConsumerServlet](https://github.com/apache/pulsar/blob/master/pulsar-websocket/src/main/java/org/apache/pulsar/websocket/WebSocketConsumerServlet.java#L27-L28) - [WebSocketReaderServlet](https://github.com/apache/pulsar/blob/master/pulsar-websocket/src/main/java/org/apache/pulsar/websocket/WebSocketReaderServlet.java#L27-L28) - [WebSocketProducerServlet](https://github.com/apache/pulsar/blob/master/pulsar-websocket/src/main/java/org/apache/pulsar/websocket/WebSocketProducerServlet.java#L27-L28) - [WebSocketPingPongServlet](https://github.com/apache/pulsar/blob/master/pulsar-websocket/src/main/java/org/apache/pulsar/websocket/WebSocketPingPongServlet.java#L27-L28) But not in a "general" one, so maybe just check for `/ws/**` and `/ws/v2/**` in the same `AuthorizationProviderToken` is valid. And I'm sure security here depends a lot on how Apache Pulsar is managed and if the users use that query param for other requests rather than the WebSocket ones but maybe it could be a security risk in some situations. I'm referencing an [OWASP post](https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url) about this. Thank you again and sorry for not exposing clearly all my thoughts before! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
