Actions
User story #2322
closed
Forbid access to URL /api/* for any hosts safe localhost
Status:
Released
Priority:
1 (highest)
Assignee:
Matthieu CERDA
Category:
Packaging
Target version:
Pull Request:
UX impact:
Suggestion strength:
User visibility:
Effort required:
Name check:
Fix check:
Regression:
Description
In Rudder, URL under /api/* are REST api that allows to do a lot of thing but do not require authentication if rudder-web.properties property rudder.rest.allowNonAuthenticatedUser is set to true (default).
But we want to allow access to these URL only from localhost.
=> change Apache configuration to forbid that !
Updated by Matthieu CERDA over 12 years ago
- Status changed from 2 to Pending technical review
- % Done changed from 0 to 100
Applied in changeset de3fc2c73696fed2d04db0861ecdd8598d2fdba7.
Updated by Jonathan CLARKE over 12 years ago
- Status changed from Pending technical review to 10
Updated by Jonathan CLARKE over 12 years ago
- Status changed from 10 to Released
- Assignee changed from Jonathan CLARKE to Matthieu CERDA
Validating this functional review, even though this solution is less good than desired: we really should have an authentification system for the API tied in with Rudder's auth system. For now, you have to rely on Apache as a proxy to manage access to the API from other machines than localhost.
Updated by Nicolas PERRON almost 12 years ago
- Project changed from Rudder to 34
- Category deleted (
11)
Updated by Benoît PECCATTE over 9 years ago
- Project changed from 34 to Rudder
- Category set to Packaging
Actions