Atelier security quirk

Article

John Murray · Feb 8, 2018 1m read

When defining a server connection in Atelier we are required to enter a username and password because these are mandatory fields in the dialog. However, if the /api/atelier web application definition on that server has only the "Unauthenticated" checkbox set in the section titled "Allowed Authentication Methods", then our Atelier connection will succeed even if we supply an invalid username and/or password.

The /api/atelier web application is configured that way (i.e. "Unauthenticated" only) when Minimal security is chosen during a fresh Caché / Ensemble / IRIS install. I haven't tested to see what the situation is after a server on a pre-Atelier version gets upgraded to a version that implements /api/atelier, but I wonder how the new web application's security is initially configured.

IMO, the way that Atelier requires credentials but may nevertheless connect as UnknownUser regardless (because the server's /api/atelier is configured not to accept any credentials) risks giving users a false sense of security about their server.

Robert Cemper · Feb 8, 2018

funny observation:

2 fresh installed instances (ENS 2017, IRIS 2018) show Unauthenticated only

while the upgraded Caché 2016.2 shows me Unauthenticated and Password.
But can't remember the status of MgmtPortal at the time of upgrade.

1 0

Amir Samary · Feb 12, 2018

IMHO, Minimal Security option should be completely eliminated from the product.

I saw this behavior of having /api/atelier application created with only Unauthenticated on Ensemble installations with Lock Down Security. But that was about a year ago and I thought that was because it was still beta. Is this happening on current Ensemble and IRIS installations as well? Did you install them with what security level?

0 0

Andreas Dieckow · Feb 12, 2018

This is not an Atelier issue, but an issue of general concern. A system administrator might specify authentication but also allows for unauthenticated access. The instance will try to authenticate and if this fails will determine if there is another authentication option.

The authentication mechanism of unauthenticated was helpful at the time when it was created, but not anymore. It is too easy to leave a server wide open; something nobody can afford anymore. The minimal installation option will go away, and with it the default of having unauthenticated being enabled. Atelier is already based on the concept that all access to a server requires authentication.

Stay tuned for more changes in the area of product installation and install modes.

John Murray · May 29, 2018

This seems to have been addressed in Atelier 1.2. Using build 118 from the beta repo I get the following when testing a connection to a server installed with Minimal security (which somewhat surprisingly is still an option when installing IRIS 2018.1.1)

To resolve this I must enable another authentication method (e.g. Password) on the /api/atelier web app:

Probably a good idea to deselect Unauthenticated. Even though Atelier doesn't seem to allow anonymous connection to /api/atelier REST service I guess it'd be possible to do this directly.

2 0

Scott Roth · Jan 30

John, if we have multiple authentication methods turned on for /api/Atelier could this also cause Unauthenticated tries against /api/Atelier?

trying to track down login issues and I am seeing this...

Timothy Leavitt · Jan 30

Scott, I'd recommend reaching out to InterSystems Support on this. My gut feeling looking at that message would be that your web gateway configuration is incorrect. Specifically, maybe the web gateway itself is trying to connect unauthenticated, which isn't allowed (because UnknownUser can't use %Service_WebGateway), and the request just happens to be for the /api/atelier web application.