Improve security for authenticated users

[6a6d74]

The Registry software employs an authentication cookie to recognise authenticated users; normally this cookie is specified with a short time-to-expire.

In current configuration, the all communication with the Registry service employs HTTP - which means that the authentication cookie is passed in clear text and thus exposes the Registry service to man-in-the-middle attacks. The worst case exploitation would be for an administrator's cookie to be stolen & then maliciously used to give administrator privileges to some third party who would then have full control over the Registry content until such permissions were revoked.

Although the likelihood of such an attack is small (it is both a sophisticated action and requires sufficient motivation to execute) it still seems worthwhile resolving this security flaw.

It is important that the majority of users remain using (plain) HTTP to access the registry; the registers and terms therein are all given HTTP URIs (not HTTPS URIs).

I propose that all interactions from authenticated users MUST use HTTPS;

i) following authentication (login), the user should be redirected to https://{register-root}
ii) all URLs (used for navigation within the web-application) should be specified as HTTPS if a user is authenticated
iii) if a user with a valid authentication cookie attempts to access the Registry service (via web-application or programmatic API) using (plain) HTTP, the authentication cookie SHALL be revoked immediately (as it has been exposed in clear text and is subject to potential theft) ... in this situation, the user should be notified that their current "login" has been revoked and indicate how to correct access the Registry whilst authenticated using HTTPS.

It would also seem appropriate that requests to /system/security (e.g. /login, /logout, /createpassword, /apilogin & /response?{...} ) are undertaken using HTTPS.

Given that /system/security/apilogin needs amending to HTTPS, the "example login command" provided to the user following creation of a temporary API password should be modified to indicate a HTTPS request ... I think this is as simple as amending the URL to be https://{registry-root}/system/security/apilogin

Advice on other resources requiring HTTPS is appreciated.

(I note that all the interaction with the OpenID provider occurs using HTTPS)

[der]

Agreed that HTTPS for all authentication and admin actions is appropriate.

Was not part of the POC due to the high implementation complexity - would means finding a way to get an SSL certificate for the data.gov.uk subdomain, would also require modifications to intervening proxies, quite apart from the actual implementation in the registry itself.

[6a6d74]

Noted. Perhaps this should be implemented as a (deployment-time) configurable module?

[6a6d74]

I also note that for the WMO Codes Registry, we have accepted this risk for the time-being. So whilst I don't think we should declare this as a "minor enhancement", it's not my top priority.

[marqh]

I have had a look into this. I have sidestepped the issues of SSL certificates on specific domains for now, recognising that this would need to be fixed for some sites.

I have put an instance of the software behind a locally signed https certificate and established that most functionality just works, for http and https connections, once the webserver is configured.

The only issue I have is that if I am browsing over https, then I try to log in: I log in successfully, but the Google authentication returns me to an http url. I can manually switch to https and I remain logged in and I can work effectively, as tested so far.

If we could tweak this so that the return url provided to the authenticator recognises whether the log in was attempted from https, and returns accordingly, then the software would be suitable for supporting https as well as http.

Whilst this leaves the certification issues open, and still allows connections over http, it does represent a significant step towards secure access.

I presume that the openID services take are provided with a url to return the user to following authentication.

It seems like
https://github.com/UKGovLD/ukl-registry-poc/blob/master/src/main/java/com/epimorphics/registry/webapi/Login.java#L296
is the place where this is set

The docs suggest (to me) that
http://grepcode.com/file/repo1.maven.org/maven2/javax.ws.rs/jsr311-api/1.1.1/javax/ws/rs/core/UriInfo.java#UriInfo.getRequestUri%28%29
might deliver the protocol (http/https) but I haven't tested this as I have an unrelated build problem.

I'll try to get round to testing this, but I have submitted a pull request anyway, in case someone else can test it quicker than I can:
#101

cheers
mark