| Issue 1822: | re-authentication failure with HTTP authentication | |
| 1 person starred this issue and may be notified of changes. | Back to list |
************************************************************
***** NOTE: THIS BUG TRACKER IS FOR GERRIT CODE REVIEW *****
***** DO NOT SUBMIT BUGS FOR CHROME, ANDROID, INTERNAL *****
***** ISSUES WITH YOUR COMPANY'S GERRIT SETUP, ETC. *****
***** THOSE ISSUE BELONG IN DIFFERENT ISSUE TRACKERS! *****
************************************************************
Affected Version: 2.5.2
What steps will reproduce the problem?
1. Modify etc/gerrit.config to use HTTP auth like:
[auth]
type = HTTP
httpHeader = x-forwarded-user
2. Restart gerrit
3. access gerrit with a valid user set in x-forwarded-for header.
This gives you a GerritAccount cookie with default 12 hours of expiration time.
4. access gerrit with an other valid user set in x-forwarded-for header. We do this by signing of in our sso solution (not signing off in gerrit) and sign in again as a different user.
What is the expected output? What do you see instead?
1) according to the documentation we expect the the logout link in gerrit is hidden:
"As a result of this assumption, Gerrit can assume that any and all requests have already been authenticated. The "Sign In" and "Sign Out" links are therefore not displayed in the web UI."
But the link remains in the UI.
2) Because we didnt sign out of Gerrit we still have a valid GerritAccount cookie in the second login and this logs us into gerrit with the first user.
Instead Gerrit should detect that the x-forwarded-for header has changed and should deliver a new session cookie.
Mar 12, 2013
#1
sop@google.com
Status:
ChangeUnderReview
Mar 12, 2013
(No comment was entered for this change.)
Status:
Submitted
Labels: FixedIn-2.6 |
|
| ► Sign in to add a comment |