[security-dev] Reseting passwords

Bruno Oliveira bruno at abstractj.org
Mon Aug 5 17:09:28 EDT 2013


Good morning, on AeroGear we have the following scenario with PicketLink
beta5:

- Default user  "admin" which must change her password at first
deployment, otherwise she will not be able to login

During the startup we have the following piece of code:

@Singleton
@Startup
public class PicketLinkDefaultUsers {

    @Inject
    private IdentityManager identityManager;

    @PostConstruct
    public void create() {

        User adminUser = identityManager.getUser("admin");

        Developer admin = new Developer();
        admin.setLoginName("admin");

        this.identityManager.add(admin);
        this.identityManager.updateCredential(admin, new
Password("123"), new Date(), expirationDate());

        Role roleDeveloper = new SimpleRole("admin");
        this.identityManager.add(roleDeveloper);
        identityManager.grantRole(admin, roleDeveloper);

    }

    //Expiration date of the password
    private Date expirationDate() {
        Calendar expirationDate = Calendar.getInstance();
        expirationDate.add(Calendar.HOUR, -1);
        return expirationDate.getTime();
    }
}

On login:

public boolean login(User user, String password) {

        credentials.setUserId(user.getLoginName());
        credentials.setCredential(new Password(password));

        if (identity.login() != Identity.AuthenticationResult.SUCCESS) {
            return false;
        }

        return true;
 }

Now to reset the password:

this.identityManager.updateCredential(admin, new Password(newPassword));

And here comes my question. At least to me it looks like is possible to
change admin's password by just guessing the username, my concern is
about an attacker being able to escalate privileges (I can be wrong). On
PicketLink do we have something internally like password matching? Or
maybe some mechanism to force user to change their password upon first
login? For example (just a very stupid example):

this.identityManager.updateCredential(admin, oldPassword, newPassword);

The correct solution (I guess) would be to check if that user has
already logged in and force admin to supply the new password, but the
method isLoggedIn will return false for credentials with status EXPIRED.

An alternative with the current scenario (maybe is just the lack of
knowledge in API usability) would be to validate and check credential
status.

Credentials credential = new UsernamePasswordCredentials("username", new
Password(password));
identityManager.validateCredentials(credential);

But I think that might exist something on PicketLink to verify if the
session exists, before reset user's password.

Any ideas?

-- abstractj


More information about the security-dev mailing list