Atelier security quirk

When defining a server connection in Atelier we are required to enter a username and password because these are mandatory fields in the dialog. However, if the /api/atelier web application definition on that server has only the "Unauthenticated" checkbox set in the section titled "Allowed Authentication Methods", then our Atelier connection will succeed even if we supply an invalid username and/or password.

The /api/atelier web application is configured that way (i.e. "Unauthenticated" only) when Minimal security is chosen during a fresh Caché / Ensemble / IRIS install. I haven't tested to see what the situation is after a server on a pre-Atelier version gets upgraded to a version that implements /api/atelier, but I wonder how the new web application's security is initially configured.

IMO, the way that Atelier requires credentials but may nevertheless connect as UnknownUser regardless (because the server's /api/atelier is configured not to accept any credentials) risks giving users a false sense of security about their server.

  • + 1
  • 0
  • 265
  • 4

Comments

funny observation:

2 fresh installed instances (ENS 2017, IRIS 2018) show Unauthenticated only

while the upgraded Caché 2016.2 shows me Unauthenticated and Password.
But can't remember the status of MgmtPortal at the time of upgrade.

IMHO, Minimal Security option should be completely eliminated from the product.

I saw this behavior of having /api/atelier application created with only Unauthenticated on Ensemble installations with Lock Down Security. But that was about a year ago and I thought that was because it was still beta. Is this happening on current Ensemble and IRIS installations as well? Did you install them with what security level?

This is not an Atelier issue, but an issue of general concern. A system administrator might specify authentication but also allows for unauthenticated access. The instance will try to authenticate and if this fails will determine if there is another authentication option.

 

The authentication mechanism of unauthenticated was helpful at the time when it was created, but not anymore. It is too easy to leave a server wide open; something nobody can afford anymore. The minimal installation option will go away, and with it the default of having unauthenticated being enabled. Atelier is already based on the concept that all access to a server requires authentication.

 

Stay tuned for more changes in the area of product installation and install modes.

This seems to have been addressed in Atelier 1.2. Using build 118 from the beta repo I get the following when testing a connection to a server installed with Minimal security (which somewhat surprisingly is still an option when installing IRIS 2018.1.1)

To resolve this I must enable another authentication method (e.g. Password) on the /api/atelier web app:

Probably a good idea to deselect Unauthenticated. Even though Atelier doesn't seem to allow anonymous connection to /api/atelier REST service I guess it'd be possible to do this directly.