Andrea Patricelli created SYNCOPE-1428:
------------------------------------------
Summary: APIs to search by key return 404 instead of 401 for not
authenticated calls
Key: SYNCOPE-1428
URL: https://issues.apache.org/jira/browse/SYNCOPE-1428
Project: Syncope
Issue Type: Bug
Components: core
Affects Versions: 2.1.3, 2.0.12
Reporter: Andrea Patricelli
Assignee: Andrea Patricelli
Fix For: 2.0.13, 2.1.4, 3.0.0
Calling the search API on Users, Groups or AnyObjects like the following
example returns 404 in case of object not found even with not authenticated
calls. This could be exploited to "guess" usernames or (in general) keys of
objects.
Request:
{code:java}
curl -X GET
"http://[mysyncopedomain]:[mysyncopeport]/syncope/rest/users/notexistingkey"; -H
"accept: */*" -H "X-Syncope-Domain: Master"{code}
Response:
{code:java}
{"status":404,"type":"NotFound","elements":["NotFoundException: User, Group or
Any Object for notexistingkey"]}{code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
