ROLE_CIDE_#inpector - Password change #64
Comments
|
After some hours of testing the CIDE APP code, it seems the problem is not on the CIDE APP, but on the authentication service provided by Geoserver. It seems Geoserver is caching the old password for some time after its change, and so for this period username can login with both passwords, the old and the new one. After changing login with both worked as follows: NEW PASSWORD: Request URL: https://pproo.azo.hr/bifisic/services/httpbasicauth/auth?user=klimetom_admin&password=kkkkkkkk
Request Method: GET
Status Code: 200 OK
Remote Address: 213.202.126.157:443
Referrer Policy: no-referrer-when-downgrade
Connection: Keep-Alive
Content-Type: application/json;charset=UTF-8
Date: Mon, 30 Dec 2019 21:42:28 GMT
Keep-Alive: timeout=5, max=100
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16 mod_wsgi/3.4 Python/2.7.5
Transfer-Encoding: chunkedOLD PASSWORD: Request URL: https://pproo.azo.hr/bifisic/services/httpbasicauth/auth?user=klimetom_admin&password=aaaaaaaa
Request Method: GET
Status Code: 200 OK
Remote Address: 213.202.126.157:443
Referrer Policy: no-referrer-when-downgrade
Connection: Keep-Alive
Content-Type: application/json;charset=UTF-8
Date: Mon, 30 Dec 2019 21:43:41 GMT
Keep-Alive: timeout=5, max=100
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16 mod_wsgi/3.4 Python/2.7.5
Transfer-Encoding: chunkedOLD PASSWORD (after cca 5 mins) Request URL: https://pproo.azo.hr/bifisic/services/httpbasicauth/auth?user=klimetom_admin&password=aaaaaaaa
Request Method: GET
Status Code: 401 Unauthorized
Remote Address: 213.202.126.157:443
Referrer Policy: no-referrer-when-downgrade
Connection: Keep-Alive
Content-Type: application/json;charset=UTF-8
Date: Mon, 30 Dec 2019 21:45:22 GMT
Keep-Alive: timeout=5, max=100
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16 mod_wsgi/3.4 Python/2.7.5
Transfer-Encoding: chunkedAnd now also CIDE authenticates the user onlyh with new password:
This issue is linked to the bifisic authorization service provided by Geoserver and needs to be tackled by Fabrizio his team. Otherwise the user after the password change can still work in CIDE and after a short period of time, the next time he will be denied with the new password. By my tests it the old password is invalid after about 10 minutes. |
klimeto
added
out_of_scope
|
I made another test where I tried to login directly to Geoserver Web Admin console and there it DID NOT work as described above. It seems the problem resides on the BIFISIC AUTH service deployed by Fabrizio available from this URL After 10 minutes the old password returns 401 Unauthorised, but before user can login with both old and new password! |
If the user changes the password it is possible to login with the old password. The new password also works but there is no point in leaving the possibility of using the old password. We need to change the password two times in a row with the same new password to disable the old one.
The text was updated successfully, but these errors were encountered: