[
https://issues.apache.org/jira/browse/CXF-2873?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12885083#action_12885083
]
Glen Mazza commented on CXF-2873:
---------------------------------
Well these SOAP requests and responses viewable from the logs can contain
incredibly sensitive information, especially username and password if
UsernameToken plaintext passwords are being used over SSL for the SOAP
requests. Or the sensitive data within the SOAP body. So we should be
careful in dismissing this as "just would like to view logs".
Also, it is important for the integrity of the CXF project, even if it
inconveniences developers working with it, not to allow itself to be used in a
way that can expose sensitive data if the developers working with it are not
particularly careful or rigorous. So if Lazy Sloppy Developer using CXF wants
to implement this log viewer using basic auth over plain HTTP, *no*, CXF should
not allow itself to be used that way. (It is similar to the Metro project
programmatically not allowing plaintext UsernameToken over plain HTTP even if
Lazy Sloppy Developer wants it that way--it serves as a form of protection of
the users of Lazy Sloppy Developer's system.)
CXF--and I suspect, Metro--hasn't yet been able to develop a proper nonce
caching mechanism for UsernameToken with hashed passwords for regular SOAP
requests and responses, so we can't expect Tomasz all of a sudden to do this
for us. I think this would be sidetracking his project even if he could pull
it off sufficiently rigorously.
Requiring SSL for the log viewer if you're using Basic Auth is very simple[1]
nowadays (that Dec. 2003 article you linked to implying otherwise does not hold
so much today--it was meant for Apache Web Server in 2003, not Tomcat in 2010),
so I think that is what Tomasz should go with, i.e., disallow Basic Auth over
port 80(*), and then continue on with his work. Afterwards, if he has the time
and desire he can implement Digest Access authentication (certainly
educational, as he would have to develop a nonce caching system) -- that would
allow for use of port 80 in a secure fashion. Alternatively I guess he could
do UsernameToken w/noncing, but nowadays I think that is just for SOAP requests
and responses.
[1] http://www.jroller.com/gmazza/entry/setting_up_ssl_and_basic
(*) Can he do this--require his log viewer to be using SSL, or would that still
be left to the prerogative of the CXF User? It may be sufficient for the
web.xml that will come along with his viewer to explicitly state the SSL
requirement, as I've shown in [1] above, and leave it to Lazy Sloppy Developer
to remove that requirement if he unfortunately chooses.
> Add authentication support (via HTTP basic authentication)
> ----------------------------------------------------------
>
> Key: CXF-2873
> URL: https://issues.apache.org/jira/browse/CXF-2873
> Project: CXF
> Issue Type: Sub-task
> Reporter: Tomasz Oponowicz
>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
