Uploaded image for project: 'Sakai'
  1. Sakai
  2. SAK-39750

Add Property to Always Allow sakai.sesson on certain URIs

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: RESOLVED
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 19.0
    • Component/s: BasicLTI, Kernel
    • Labels:
    • 12 status:
      Please Merge
    • 11 status:
      Please Merge
    • Property addition/change required:
      Yes
    • Previous Issue Keys:
      KNL-1590
    • Test Plan:
      Hide

      To test this - you need -SAK-34032- installed.  Without the patch, if you set 

      sakai.cookieSameSite=strict

      ContentItem selections (app store) will fail.

      With this patch ContentItem will work (See below).  With this patch if you set

      session.parameter.allow.bypass=none

      ContentItem selections (app store) will again fail.

      To test error conditions, you can also generate a regex error by:

      session.parameter.allow.bypass=(oops((

      When the system starts you should see something like:

      org.sakaiproject.util.RequestFilter.init Unable to compile session.parameter.allow = (oops((

      But the system should come up (i.e. you don't crash Sakai with a bad regex)

      Testing Content Item in Master

      1) Login as admin / admin

      2) Go to Mercury - > Lessons

      3) Go to Add Content -> Add Learning App -> Tsugi Cloud

      4) Pick an app form the store and install it

      5) Then launch the app.

      If you can see the app - it works.  If there is a failure at step 4 (see attached image) this code is not working properly

      Show
      To test this - you need - SAK-34032 - installed.  Without the patch, if you set  sakai.cookieSameSite=strict ContentItem selections (app store) will fail. With this patch ContentItem will work (See below).  With this patch if you set session.parameter.allow.bypass=none ContentItem selections (app store) will again fail. To test error conditions, you can also generate a regex error by: session.parameter.allow.bypass=(oops(( When the system starts you should see something like: org.sakaiproject.util.RequestFilter.init Unable to compile session.parameter.allow = (oops(( But the system should come up (i.e. you don't crash Sakai with a bad regex) Testing Content Item in Master 1) Login as admin / admin 2) Go to Mercury - > Lessons 3) Go to Add Content -> Add Learning App -> Tsugi Cloud 4) Pick an app form the store and install it 5) Then launch the app. If you can see the app - it works.  If there is a failure at step 4 (see attached image) this code is not working properly

      Description

      Sometimes we need to allow the session id to be specified on a URL using the sakai.session parameter.  There is currently a required configuration parameter to allow this:

      session.parameter.allow=true

      This is normally defaulted to false since it might be exploited.  Since this is required in certain specific situations like the POST return from a Content Item selection and in Lessons we need a finer grain way to have this on by default but only for certain URIs. 

      So we add a new configuration option that is a regular expression to match the URIs that always allow sakai.session with the following default:

      session.parameter.allow.bypass=sakai\.basiclti\.admin\.helper\.helper

      This is a regex so you can add more URI matches with vertical bars (|) - but this value as default makes it so ContentItem works.

      You can turn this off completely (and break ContentItem) with this setting:

      session.parameter.allow.bypass=none

       

        Gliffy Diagrams

          Zeplin

            Attachments

              Issue Links

              is depended on by

              Bug - A problem which impairs or prevents functionality of the product. SAK-40033 Fix the loss of session Content Item under SameSite=strict in the rich text editor

              • Major - Major loss of function or need for functionality in production in the near future.
              • CLOSED

              Task - A task that needs to be done. SAK-34032 Adjust ContentItem Implementation to Work with SameSite strict

              • Major - Major loss of function or need for functionality in production in the near future.
              • RESOLVED
              relates to

              Feature Request - Functionality that you would like to see in Sakai. SAK-39403 Investigate using the Tomcat CSRF filter (i.e. SameSite)

              • Major - Major loss of function or need for functionality in production in the near future.
              • Verified

                Activity

                  People

                  Assignee:
                  csev Charles Severance
                  Reporter:
                  csev Charles Severance
                  Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                    Dates

                    Created:
                    Updated:
                    Resolved:

                      Git Integration