Identity Zone Selection via X-Zid Header #3427

adrianhoelzl-sap · 2025-04-29T09:22:31Z

No description provided.

fhanik · 2025-04-30T19:59:51Z

@adrianhoelzl-sap How does this impact cookies and security?

What If I do a request like this

GET /some/path
Host: some.host.com
Header: X-Zid=zone-id-for-someother.host.com

and this sets up my cookies (including authentication stored in the session)
and then I do this request (and continue using the same JSESSIONID since the host hasn't changed)

GET /some/path
Host: some.host.com

Do I just gain access across zones?

adrianhoelzl-sap · 2025-05-01T14:27:55Z

@adrianhoelzl-sap How does this impact cookies and security?

What If I do a request like this
GET /some/path
Host: some.host.com
Header: X-Zid=zone-id-for-someother.host.com
and this sets up my cookies (including authentication stored in the session) and then I do this request (and continue using the same JSESSIONID since the host hasn't changed)
GET /some/path
Host: some.host.com
Do I just gain access across zones?

This scenario should be addressed by this check here:

uaa/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/SessionResetFilter.java

Line 60 in df50723

    
           if (!Objects.equals(IdentityZoneHolder.getCurrentZoneId(), authentication.getPrincipal().getZoneId())) {

The zone resolved through the subdomain or X-Zid header (IdentityZoneHolder.getCurrentIdentityZoneId()) is compared to the zone for which the session was set up (authentication.getPrincipal().getZoneId()). If they do not match, the session is invalidated.

fhanik · 2025-05-08T14:42:42Z

The SessionResetFilter is added at the end of each filter chain. it is the last filter that is used before an MVC endpoint is invoked.

But all the filters before that, that may contain logic and send redirects prior to the completion of the filter chain are still vulnerable to this.

A lot of the SAML/OAuth/OIDC happens in just filters, and not in MVC endpoints, and those filters would be working under incorrect assumptions.

Given the risk, is this header really needed?

If the HTTP client can set a header, it can set the "Host" header, and if there is a browser involved, cookie handling will be accurate.

strehle

My hope was that we can consolidate the amount of filter (per each request) and optimize but can we integration this logic into one of other IdentityZoneXYZ filters ? ... maybe rename one and do more ?

strehle · 2025-05-27T14:05:32Z

...rc/main/java/org/cloudfoundry/identity/uaa/oauth/common/util/RandomValueStringGenerator.java

@@ -15,6 +15,8 @@ public class RandomValueStringGenerator {

    private static final char[] DEFAULT_CODEC = "1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz-_"
            .toCharArray();
+    private static final char[] CODEC_LETTERS_ONLY = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"


pls use

uaa/server/src/main/java/org/cloudfoundry/identity/uaa/util/AlphanumericRandomValueStringGenerator.java

Line 7 in b449b5b

"1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"

strehle · 2025-05-27T14:05:39Z

...rc/main/java/org/cloudfoundry/identity/uaa/oauth/common/util/RandomValueStringGenerator.java

@@ -90,4 +92,7 @@ public void setLength(int length) {
        this.length = length;
    }

+    public static RandomValueStringGenerator lettersOnly(final int length) {


adrianhoelzl-sap requested review from tack-sap and a team April 29, 2025 09:22

cf-foundation-community-automation bot added this to Foundational Infrastructure Working Group Apr 29, 2025

cf-foundation-community-automation bot moved this to Inbox in Foundational Infrastructure Working Group Apr 29, 2025

adrianhoelzl-sap added 16 commits May 27, 2025 08:13

Refactor IdentityZoneResolvingFilter.doFilterInternal

c9c01d0

Add reading of 'X-Zid' header

2ede7f0

Add distinction between lookup of zone by ID and by subdomain

cfc1a82

Refactor initialization of DAO in IdentityZoneResolvingFilterTests

92d5641

Add unit tests for X-Zid header

563d9c7

Add description of X-Zid header to overview section of API documentation

1272857

Add toggle for X-Zid header

cee6802

Add zidHeaderEnabled field to IdentityZoneResolvingFilter

ef0d97e

Add check for flag being enabled to filter

89bee31

Add IdentityZoneMismatchCheckFilter

0f5a3e7

Add IdentityZoneMismatchCheckFilter to filter chain

648ac9f

Remove IdZ check from SessionResetFilter

d473b18

Add unit test for IdentityZoneMismatchCheckFilter

24af2bf

Adjust version and mention feature flag in documentation

477bbf3

Add codec to RandomValueStringGenerator to generate letter-only strings

bcca88e

Add MockMvc tests for X-Zid header behavior

b69180d

adrianhoelzl-sap force-pushed the x-zid-header branch from c9a0330 to b69180d Compare May 27, 2025 14:03

strehle reviewed May 27, 2025

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Identity Zone Selection via X-Zid Header #3427

Identity Zone Selection via X-Zid Header #3427

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Identity Zone Selection via X-Zid Header #3427

Are you sure you want to change the base?

Identity Zone Selection via X-Zid Header #3427

Uh oh!

Conversation

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!