Modify

Opened 12 years ago

Closed 8 years ago

#7086 closed defect (fixed)

WMS basic authentication is using OSM account

Reported by: anonymous Owned by: wiktorn
Priority: major Milestone:
Component: Core Version: tested
Keywords: wms authentication Cc: bastiK

Description

When JOSM is acessing a WMS server which requires Basic Authentication, it will send the OSM username and password.
Besides the security aspect it is currently not possible to use such WMS servers with different login data.

Some GUI option to set login data for WMS would be nice.
OSM login data should never be sent to other servers requiring Basic Authentication without permission.

Attachments (0)

Change History (12)

comment:1 by bastiK, 12 years ago

Could you name a WMS with Basic Auth setup?

comment:2 by anonymous, 12 years ago

This is just an example. Remember JOSM sends your OSM login data to this server.

http://security.demo.52north.org/wss/service/wms_demis/httpauth?

demo accounts:

  • alice/alice: Full access
  • bob/bob: Limited access
  • guest/guest: Very limited access

in reply to:  description comment:3 by skyper, 12 years ago

Priority: normalcritical

Replying to anonymous:

OSM login data should never be sent to other servers requiring Basic Authentication without permission.

This is a critical bug !

comment:4 by skyper, 12 years ago

Priority: criticalblocker
Summary: WMS basic authentication using OSM accountWMS basic authentication is using OSM account

I split the enhancement part to #7122

As it is easy to add wms servers to the list this defect is even a blocker !

comment:5 by stoecker, 12 years ago

Priority: blockermajor

comment:6 by stoecker, 12 years ago

In [4690/josm]:

see #7086 - fix passing auth information to wrong server

comment:7 by stoecker, 12 years ago

Cc: bastiK added

I did a basic fix introducing host-name aware authentication settings which fixes this immediate problem. But it still is not perfect.

comment:8 by stoecker, 12 years ago

In [4692/josm]:

see #7086 - save other passwords in JOSM prefs

comment:9 by anonymous, 12 years ago

With regard to the current patches: it seems like JOSM sometimes "forgot" sending the auth information (maybe that should be another ticket). Before the patches the auth dialog just appeared again. With the current josm-latest I get HTTP 401 errors without auth dialog resulting in error tiles.

comment:10 by wiktorn, 9 years ago

Owner: changed from team to wiktorn

comment:11 by simon04, 8 years ago

Milestone: 16.02

See #7122.

Last edited 8 years ago by simon04 (previous) (diff)

comment:12 by simon04, 8 years ago

Milestone: 16.02
Resolution: fixed
Status: newclosed

Not sending OSM credentials has been fixed 4 years ago. For other problems/enhancements → #7122.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain wiktorn.
as The resolution will be set.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.