Opened 12 years ago
Closed 8 years ago
#7086 closed defect (fixed)
WMS basic authentication is using OSM account
| Reported by: | anonymous | Owned by: | wiktorn |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | Core | Version: | tested |
| Keywords: | wms authentication | Cc: | bastiK |
Description
When JOSM is acessing a WMS server which requires Basic Authentication, it will send the OSM username and password.
Besides the security aspect it is currently not possible to use such WMS servers with different login data.
Some GUI option to set login data for WMS would be nice.
OSM login data should never be sent to other servers requiring Basic Authentication without permission.
Attachments (0)
Change History (12)
comment:1 by , 12 years ago
comment:2 by , 12 years ago
This is just an example. Remember JOSM sends your OSM login data to this server.
http://security.demo.52north.org/wss/service/wms_demis/httpauth?
demo accounts:
- alice/alice: Full access
- bob/bob: Limited access
- guest/guest: Very limited access
comment:3 by , 12 years ago
| Priority: | normal → critical |
|---|
Replying to anonymous:
OSM login data should never be sent to other servers requiring Basic Authentication without permission.
This is a critical bug !
comment:4 by , 12 years ago
| Priority: | critical → blocker |
|---|---|
| Summary: | WMS basic authentication using OSM account → WMS basic authentication is using OSM account |
I split the enhancement part to #7122
As it is easy to add wms servers to the list this defect is even a blocker !
comment:5 by , 12 years ago
| Priority: | blocker → major |
|---|
comment:7 by , 12 years ago
| Cc: | added |
|---|
I did a basic fix introducing host-name aware authentication settings which fixes this immediate problem. But it still is not perfect.
comment:9 by , 12 years ago
With regard to the current patches: it seems like JOSM sometimes "forgot" sending the auth information (maybe that should be another ticket). Before the patches the auth dialog just appeared again. With the current josm-latest I get HTTP 401 errors without auth dialog resulting in error tiles.
comment:10 by , 9 years ago
| Owner: | changed from to |
|---|
comment:11 by , 8 years ago
| Milestone: | → 16.02 |
|---|
It seems to be working okay, i.e., one manages to load images w/o the OSM password being sent.
The problem I experienced w/ r9312 and the WMS from comment:2 is in the context of parallel image loading:
- 3 WMS requests are fired and executed
- All 3 obtain HTTP 401
- The first one requests the saved credentials from the preferences (I entered+saved them while adding the WMS layer). It registers
credentialsTried(inorg/openstreetmap/josm/io/auth/DefaultAuthenticator.java:55, which is not host specific!), obtains the credentials from the preferences and loads the image - The 2nd and 3rd request however reach
credentialsTriedalready set from the first host. This causes 2 credential dialogs to be shown atorg/openstreetmap/josm/io/auth/AbstractCredentialsAgent.java:46
So two credential dialogs are shown despite having the correct credentials set in the preferences.
To be done:
- make
org.openstreetmap.josm.io.auth.DefaultAuthenticator#credentialsTriedhost aware - somehow fix this parallel request issue
comment:12 by , 8 years ago
| Milestone: | 16.02 |
|---|---|
| Resolution: | → fixed |
| Status: | new → closed |
Not sending OSM credentials has been fixed 4 years ago. For other problems/enhancements → #7122.
Could you name a WMS with Basic Auth setup?