[security-dev] Reseting passwords

Bill Burke bburke at redhat.com
Mon Aug 5 20:09:35 EDT 2013 

His question has nothing to do with default passwords...

If an attacker (or buggy program) has access to IdentityManager then 
they can call IdentityManager.updateCredential(User admin, cred)

Again, IDM API is meant to be a low-level API and it should be protected 
appropriately with the Java SecurityManager or some other means.

On 8/5/2013 7:58 PM, Anil Saldhana wrote:
> Hi Bruno,
>     ideally the application should not create a default password for the
> admin. The reason is that it goes into production and gets forgotten.
> But in practice, applications create a default password which gets
> changed after the first deployment. This is what you are doing.
>
> Since the session management is handled by the application, PicketLink
> has no ability to check whether there are concurrent sessions active.
>
> I understand your concern that there is a small window after application
> deployment where an attacker may control the application by changing the
> admin password. This is mitigated either by not having a default
> password (change in DB directly after deployment) or change the password
> right after deployment.
>
> Answers from the team are welcome.
>
> Regards,
> Anil
>
> On 08/05/2013 04:09 PM, Bruno Oliveira wrote:
>> Good morning, on AeroGear we have the following scenario with PicketLink
>> beta5:
>>
>> - Default user  "admin" which must change her password at first
>> deployment, otherwise she will not be able to login
>>
>> During the startup we have the following piece of code:
>>
>> @Singleton
>> @Startup
>> public class PicketLinkDefaultUsers {
>>
>>       @Inject
>>       private IdentityManager identityManager;
>>
>>       @PostConstruct
>>       public void create() {
>>
>>           User adminUser = identityManager.getUser("admin");
>>
>>           Developer admin = new Developer();
>>           admin.setLoginName("admin");
>>
>>           this.identityManager.add(admin);
>>           this.identityManager.updateCredential(admin, new
>> Password("123"), new Date(), expirationDate());
>>
>>           Role roleDeveloper = new SimpleRole("admin");
>>           this.identityManager.add(roleDeveloper);
>>           identityManager.grantRole(admin, roleDeveloper);
>>
>>       }
>>
>>       //Expiration date of the password
>>       private Date expirationDate() {
>>           Calendar expirationDate = Calendar.getInstance();
>>           expirationDate.add(Calendar.HOUR, -1);
>>           return expirationDate.getTime();
>>       }
>> }
>>
>> On login:
>>
>> public boolean login(User user, String password) {
>>
>>           credentials.setUserId(user.getLoginName());
>>           credentials.setCredential(new Password(password));
>>
>>           if (identity.login() != Identity.AuthenticationResult.SUCCESS) {
>>               return false;
>>           }
>>
>>           return true;
>>    }
>>
>> Now to reset the password:
>>
>> this.identityManager.updateCredential(admin, new Password(newPassword));
>>
>> And here comes my question. At least to me it looks like is possible to
>> change admin's password by just guessing the username, my concern is
>> about an attacker being able to escalate privileges (I can be wrong). On
>> PicketLink do we have something internally like password matching? Or
>> maybe some mechanism to force user to change their password upon first
>> login? For example (just a very stupid example):
>>
>> this.identityManager.updateCredential(admin, oldPassword, newPassword);
>>
>> The correct solution (I guess) would be to check if that user has
>> already logged in and force admin to supply the new password, but the
>> method isLoggedIn will return false for credentials with status EXPIRED.
>>
>> An alternative with the current scenario (maybe is just the lack of
>> knowledge in API usability) would be to validate and check credential
>> status.
>>
>> Credentials credential = new UsernamePasswordCredentials("username", new
>> Password(password));
>> identityManager.validateCredentials(credential);
>>
>> But I think that might exist something on PicketLink to verify if the
>> session exists, before reset user's password.
>>
>> Any ideas?
>>
>> -- abstractj
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the security-dev mailing list