raboof/pekko
1
0
Fork 0
Code Issues Pull requests Projects Releases 6 Packages Wiki Activity Actions 10

=doc #18857 Add docs about comparing the secret when authenticating

Browse source
This commit is contained in:
Johan Andrén 2015-11-19 11:08:37 +01:00
parent fa683e1842
commit 63806bdbe0
11 changed files with 36 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
akka-docs-dev/rst/scala/http/routing-dsl/directives/security-directives/authenticateBasic.rst
View file

@ -27,6 +27,8 @@ variant of this directive which allows it to run without blocking routing layer
Standard HTTP-based authentication which uses the ``WWW-Authenticate`` header containing challenge data and
``Authorization`` header for receiving credentials is implemented in subclasses of ``HttpAuthenticator``.
See :ref:`credentials-and-timing-attacks-scala` for details about verifying the secret.
.. warning::
Make sure to use basic authentication only over SSL/TLS because credentials are transferred in plaintext.

2
akka-docs-dev/rst/scala/http/routing-dsl/directives/security-directives/authenticateBasicAsync.rst
View file

@ -25,6 +25,8 @@ which by default is mapped to an ``401 Unauthorized`` response.
Standard HTTP-based authentication which uses the ``WWW-Authenticate`` header containing challenge data and
``Authorization`` header for receiving credentials is implemented in subclasses of ``HttpAuthenticator``.
See :ref:`credentials-and-timing-attacks-scala` for details about verifying the secret.
.. warning::
Make sure to use basic authentication only over SSL/TLS because credentials are transferred in plaintext.

2
akka-docs-dev/rst/scala/http/routing-dsl/directives/security-directives/authenticateBasicPF.rst
View file

@ -25,6 +25,8 @@ leaves the request to be rejected with a :class:`AuthenticationFailedRejection`
Longer-running authentication tasks (like looking up credentials in a database) should use :ref:`-authenticateBasicAsync-`
or :ref:`-authenticateBasicPFAsync-` if you prefer to use the ``PartialFunction`` syntax.
See :ref:`credentials-and-timing-attacks-scala` for details about verifying the secret.
.. warning::
Make sure to use basic authentication only over SSL/TLS because credentials are transferred in plaintext.

2
akka-docs-dev/rst/scala/http/routing-dsl/directives/security-directives/authenticateBasicPFAsync.rst
View file

@ -22,6 +22,8 @@ Refer to :ref:`-authenticateBasic-` for a detailed description of this directive
Its semantics are equivalent to ``authenticateBasicPF`` 's, where not handling a case in the Partial Function (PF)
leaves the request to be rejected with a :class:`AuthenticationFailedRejection` rejection.
See :ref:`credentials-and-timing-attacks-scala` for details about verifying the secret.
.. warning::
Make sure to use basic authentication only over SSL/TLS because credentials are transferred in plaintext.

2
akka-docs-dev/rst/scala/http/routing-dsl/directives/security-directives/authenticateOAuth2.rst
View file

@ -29,6 +29,8 @@ which by default is mapped to an ``401 Unauthorized`` response.
Longer-running authentication tasks (like looking up credentials in a database) should use the :ref:`-authenticateOAuth2Async-`
variant of this directive which allows it to run without blocking routing layer of Akka HTTP, freeing it for other requests.
See :ref:`credentials-and-timing-attacks-scala` for details about verifying the secret.
For more information on how OAuth2 works see `RFC 6750`_.
.. _RFC 6750: https://tools.ietf.org/html/rfc6750

2
akka-docs-dev/rst/scala/http/routing-dsl/directives/security-directives/authenticateOAuth2Async.rst
View file

@ -28,6 +28,8 @@ which by default is mapped to an ``401 Unauthorized`` response.
See also :ref:`-authenticateOAuth2-` if the authorization operation is rather quick, and does not have to execute asynchronously.
See :ref:`credentials-and-timing-attacks-scala` for details about verifying the secret.
For more information on how OAuth2 works see `RFC 6750`_.
.. _RFC 6750: https://tools.ietf.org/html/rfc6750

2
akka-docs-dev/rst/scala/http/routing-dsl/directives/security-directives/authenticateOAuth2PF.rst
View file

@ -30,6 +30,8 @@ leaves the request to be rejected with a :class:`AuthenticationFailedRejection`
Longer-running authentication tasks (like looking up credentials in a database) should use the :ref:`-authenticateOAuth2Async-`
variant of this directive which allows it to run without blocking routing layer of Akka HTTP, freeing it for other requests.
See :ref:`credentials-and-timing-attacks-scala` for details about verifying the secret.
For more information on how OAuth2 works see `RFC 6750`_.
.. _RFC 6750: https://tools.ietf.org/html/rfc6750

2
akka-docs-dev/rst/scala/http/routing-dsl/directives/security-directives/authenticateOAuth2PFAsync.rst
View file

@ -30,6 +30,8 @@ leaves the request to be rejected with a :class:`AuthenticationFailedRejection`
See also :ref:`-authenticateOAuth2PF-` if the authorization operation is rather quick, and does not have to execute asynchronously.
See :ref:`credentials-and-timing-attacks-scala` for details about verifying the secret.
For more information on how OAuth2 works see `RFC 6750`_.
.. _RFC 6750: https://tools.ietf.org/html/rfc6750

2
akka-docs-dev/rst/scala/http/routing-dsl/directives/security-directives/authenticateOrRejectWithChallenge.rst
View file

@ -17,7 +17,7 @@ Lifts an authenticator function into a directive.
This directive allows implementing the low level challange-response type of authentication that some services may require.
More details about challange-response authentication are available in the `RFC 2617`_, `RFC 7616`_ and `RFC 7617`_.
More details about challenge-response authentication are available in the `RFC 2617`_, `RFC 7616`_ and `RFC 7617`_.
.. _RFC 2617: http://tools.ietf.org/html/rfc2617
.. _RFC 7616: http://tools.ietf.org/html/rfc7616

2
akka-docs-dev/rst/scala/http/routing-dsl/directives/security-directives/extractCredentials.rst
View file

@ -15,6 +15,8 @@ Description
Extracts the potentially present ``HttpCredentials`` provided with the request's ``Authorization`` header,
which can be then used to implement some custom authentication or authorization logic.
See :ref:`credentials-and-timing-attacks-scala` for details about verifying the secret.
Example
-------

17
akka-docs-dev/rst/scala/http/routing-dsl/directives/security-directives/index.rst
View file

@ -64,3 +64,20 @@ they are only a means of extracting the so called ``Bearer Token`` from the ``Au
as defined in `RFC 6750`_, and allow users to validate and complete the protocol.
.. _RFC 6750: https://tools.ietf.org/html/rfc6750
.. _credentials-and-timing-attacks-scala:
Credentials and password timing attacks
---------------------------------------
When transforming request ``Credentials`` into an application specific user identifier the naive solution for
checking the secret (password) would be a regular string comparison, but doing this would open up the application to
timing attacks. See for example `Timing Attacks Explained`_ for an explanation of the problem.
.. _Timing Attacks Explained: http://emerose.com/timing-attacks-explained
To protect users of the library from that mistake the secret is not available through the API, instead the method
``Credentials.Provided.verify(String)`` should be used. It does a constant time comparison rather than returning early
upon finding the first non-equal character.