Security issue for all admin vaadin applications exposed as OSGI Service

Description

Usually the Vaadin Applications are embedded as an iframe.
If you know the embedded url, you can get access to the application even if you are not authorized.

Example:
Login to demo.opennms.org with the demo user
Go to the following page: demo.opennms.org/opennms/osgi/jmx-config-tool

TADA you now have access to a restricted area.

Basically all osgi deployed applications are bridged AND accessible via /osgi/.

Acceptance / Success Criteria

None

Lucidchart Diagrams

Activity

Show:

Markus von Rüden July 25, 2017 at 12:40 PM

PR: https://github.com/OpenNMS/opennms/pull/1608

Fixed

Details
Assignee
Markus von Rüden(Deactivated)
Reporter
Markus von Rüden(Deactivated)
Components
Sprint
None
Fix versions
20.0.2
Meridian-2015.1.6
Meridian-2016.1.6
Affects versions
14.0.0
Meridian-2015.1.0
Priority
Major

PagerDuty

Created May 17, 2016 at 3:36 AM

Updated September 21, 2017 at 3:08 PM

Resolved August 2, 2017 at 2:46 PM

Configure

Security issue for all admin vaadin applications exposed as OSGI Service

Description

Acceptance / Success Criteria

Lucidchart Diagrams

Activity

Markus von Rüden July 25, 2017 at 12:40 PM

DetailsAssigneeMarkus von RüdenMarkus von Rüden(Deactivated)ReporterMarkus von RüdenMarkus von Rüden(Deactivated)ComponentsSprintNone+3Fix versions20.0.2Meridian-2015.1.6Meridian-2016.1.6Affects versions14.0.0Meridian-2015.1.0PriorityMajor

Details

Assignee

Reporter

Components

Sprint

Fix versions

Affects versions

Priority

PagerDutyPagerDuty Incident

PagerDuty

Details
Assignee
Markus von Rüden(Deactivated)
Reporter
Markus von Rüden(Deactivated)
Components
Sprint
None
Fix versions
20.0.2
Meridian-2015.1.6
Meridian-2016.1.6
Affects versions
14.0.0
Meridian-2015.1.0
Priority
Major

PagerDuty