cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Possible Security Issue in WAS / Portal

Go to solution
Former Member

on ‎05-11-2005 7:53 AM

0 Kudos

Hello,

while I was debugging / observing my application I have found a possible security flaw in SAP Portal / J2ee engine.

What happens is that HTTP Session objects created for a given user (say user "A") are passed over to user "B" if user "A" logs off from the portal and then, without closing the browser window, another user (say user "B") logs in.

The above problem does not happen if the browser is completely closed and user "B" logs in from a fresh new one.

I have not figured out the exact reason why this happens but I suspect this is related to the SAP Logon ticket (cookie MYSAPSSO2) and/or J2ee session ID cookie (JSESSIONID) which are not cleared up when the login screen appears after a log-off.

An interesting "feature" is that session objects are not lost when logging out but this leads to a serious security issue if they are passed over to another user. A tipical case is where an application would create an object and save it in session if it does not exist already....

I think we shall customize the logoff/login screens to clear-up all cookies and, possibly, invalidate the HTTP Session to avoid this at all.

Our system is based on WAS 6.40 SP9

Is there anybody else experiencing the same or is it something wrong going on only on my environments?

Possible solutions / work-arounds?

Regards

Vitaliano Trecca

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎05-11-2005 9:57 AM
0 Kudos

Hi Vitaliano,

how do you log off from the J2EE engine ? Did you try to call /useradmin/userAdminServlet?logOff= on your system ?

Just calling logoff for the session should only invalidate the JsessionID but not the SAP Logon Ticket if this is used for authentication. In this case, the user is automatically reauthenticatied at the next access to the J2EE engine.

Kind regards,

Patrick Hildenbrand

Show replies
Show replies
Former Member
‎05-11-2005 10:07 AM
0 Kudos

Hello Patrick

Users simply log-off using the "Log-Off" link available on the top-right frame of SAP Portal and they get redirected to the login page again. I am not supposed to do anything more than that right?

Former Member
‎05-11-2005 10:32 AM
0 Kudos

Hi Vialiano,

please check wether your SAP Logon ticket has been destroyed (i.e. using HTTPwatch or something similiar) for me this exactly works this way and I'm uinable to access anything else after doing so.

BTW: initially you talked about a J2EE application, now you are talking about a portal, what is your login stack configuration for the J2EE application ?

BTW2: what type of authentication to you use ? Basic authentication ? If yes, please switch to form based authentication. Basic authentication does not support any 'log off' (this is a problem in the HTTP standard).

Regards,

Patrick

Former Member
‎05-11-2005 11:15 AM
0 Kudos

Patrick thanks for following up !

I understand the confusion between j2ee and portal... I must clarify.

I have a j2ee based application (with basic authentication) which is called and rendered in one SAP Portal iView. In this application I am also able to watch what is in the http servlet session and here is where I first noticed the problem.

Login to the SAP Portal is form based as it comes with default installation. Login stack in portal is as default installation (first ticket then basic and then issues a ticket if necessary).

What I can see is that after logging off from the portal I still have the two cookies mentioned above with same values. I.e. they are not destroyed when loggin off from Portal.

You are recommending to switch my j2ee app to FORM based. Do I have to provide additional code / settings or it is just a matter of changing the setting in web.xml and nothing else?

Former Member
‎05-11-2005 1:05 PM
0 Kudos

Following up previous finding...

the problem seems to be related to the module com.sap.portal.navigation.masthead.LogOutComponent which return an HTTP stream that cleans up the MYSAPSSO2 cookie but not the JSESSIONID one before redirecting to the login page.

JSESSIONID cookie is used by J2ee engine to reference (and therefore retrieve) the ...wrong... http session. Failure to clean it up leads to the security flaw described above.

Will probably have to fix SAP module?

Regards,

Vitaliano

Former Member
‎05-16-2005 11:08 AM
0 Kudos

I am still stuck on this issue. Please HELP.

JSESSIOND cookie is not reset when another user logs-in to portal/j2ee after a previous user has logged off and browser was not closed.

The new user keeps holding previous user JSESSIONID and any J2EE based application embedded in portal (except the portal itself) still beleaves it's the old user. (in fact by calling UMEFactory.getAuthenticator().getLoggedInUser() still returns the old IUser object.

How do we ensure JSESSIONID is refreshed (renewed) when a new user logs-in to SAP Portal ?

Former Member
‎05-19-2005 1:43 PM
0 Kudos

Hi Vitaliano,

I'm now a bit confused. You have stated:

> What I can see is that after logging off from the portal

> I still have the two cookies mentioned above with same

> values. I.e. they are not destroyed when loggin off

> from Portal.

If the SAP Login ticket was not set to empty after the log off from the portal, I would rate this as a bug.

Regarding the JsessionID, the stuff is a bit more tricky. This is a current limitation SAP is working on to my knowledge. I do not know, when there will be a fix for this.

To a great extend, this is based on the J2EE security policy domain model (some words about it can be found in the SAP documentation at http://help.sap.com/saphelp_nw04/helpdata/en/c4/5c5ae71140bb41868f10bc7f3411db/frameset.htm). The SAP Logon Ticket permits to authenticate to different policy domains without having to need for the user to reauthenticate (this is what the logon stack concept is for). The problem is, that there is no single logout stack concept in the J2EE specification. As your application runs in a different security policy domain than the portal, the logout is only valid for the portal, as only the portal session is destroyed.

Kind regards,

Patrick Hildenbrand

Answers (1)

Answers (1)

former_member4753
Employee
Employee
‎08-25-2005 4:22 PM
0 Kudos

Hi,

I would like to update on this issue. With SP14 this issue will be solved. By default when an http client is logged off, it will be logged off from all web applications it has requested. Still there will be a way to switch to the old behavior if your application needs it. How to do this will be described on help.sap.com when SP14 is released (planned for 04.10.2004).

I hope this will help.

Regards,

Maria

Show replies
Show replies
Ask a Question