[security-dev] Reseting passwords

Anil Saldhana Anil.Saldhana at redhat.com
Mon Aug 5 22:18:02 EDT 2013 

Thanks Bill.

Java Security Manager is the primary means to protect applications 
running in a JVM
from rogue applications.

On 08/05/2013 07:09 PM, Bill Burke wrote:
> His question has nothing to do with default passwords...
>
> If an attacker (or buggy program) has access to IdentityManager then
> they can call IdentityManager.updateCredential(User admin, cred)
>
> Again, IDM API is meant to be a low-level API and it should be protected
> appropriately with the Java SecurityManager or some other means.
>
> On 8/5/2013 7:58 PM, Anil Saldhana wrote:
>> Hi Bruno,
>>      ideally the application should not create a default password for the
>> admin. The reason is that it goes into production and gets forgotten.
>> But in practice, applications create a default password which gets
>> changed after the first deployment. This is what you are doing.
>>
>> Since the session management is handled by the application, PicketLink
>> has no ability to check whether there are concurrent sessions active.
>>
>> I understand your concern that there is a small window after application
>> deployment where an attacker may control the application by changing the
>> admin password. This is mitigated either by not having a default
>> password (change in DB directly after deployment) or change the password
>> right after deployment.
>>
>> Answers from the team are welcome.
>>
>> Regards,
>> Anil
>>
>> On 08/05/2013 04:09 PM, Bruno Oliveira wrote:
>>> Good morning, on AeroGear we have the following scenario with PicketLink
>>> beta5:
>>>
>>> - Default user  "admin" which must change her password at first
>>> deployment, otherwise she will not be able to login
>>>
>>> During the startup we have the following piece of code:
>>>
>>> @Singleton
>>> @Startup
>>> public class PicketLinkDefaultUsers {
>>>
>>>        @Inject
>>>        private IdentityManager identityManager;
>>>
>>>        @PostConstruct
>>>        public void create() {
>>>
>>>            User adminUser = identityManager.getUser("admin");
>>>
>>>            Developer admin = new Developer();
>>>            admin.setLoginName("admin");
>>>
>>>            this.identityManager.add(admin);
>>>            this.identityManager.updateCredential(admin, new
>>> Password("123"), new Date(), expirationDate());
>>>
>>>            Role roleDeveloper = new SimpleRole("admin");
>>>            this.identityManager.add(roleDeveloper);
>>>            identityManager.grantRole(admin, roleDeveloper);
>>>
>>>        }
>>>
>>>        //Expiration date of the password
>>>        private Date expirationDate() {
>>>            Calendar expirationDate = Calendar.getInstance();
>>>            expirationDate.add(Calendar.HOUR, -1);
>>>            return expirationDate.getTime();
>>>        }
>>> }
>>>
>>> On login:
>>>
>>> public boolean login(User user, String password) {
>>>
>>>            credentials.setUserId(user.getLoginName());
>>>            credentials.setCredential(new Password(password));
>>>
>>>            if (identity.login() != Identity.AuthenticationResult.SUCCESS) {
>>>                return false;
>>>            }
>>>
>>>            return true;
>>>     }
>>>
>>> Now to reset the password:
>>>
>>> this.identityManager.updateCredential(admin, new Password(newPassword));
>>>
>>> And here comes my question. At least to me it looks like is possible to
>>> change admin's password by just guessing the username, my concern is
>>> about an attacker being able to escalate privileges (I can be wrong). On
>>> PicketLink do we have something internally like password matching? Or
>>> maybe some mechanism to force user to change their password upon first
>>> login? For example (just a very stupid example):
>>>
>>> this.identityManager.updateCredential(admin, oldPassword, newPassword);
>>>
>>> The correct solution (I guess) would be to check if that user has
>>> already logged in and force admin to supply the new password, but the
>>> method isLoggedIn will return false for credentials with status EXPIRED.
>>>
>>> An alternative with the current scenario (maybe is just the lack of
>>> knowledge in API usability) would be to validate and check credential
>>> status.
>>>
>>> Credentials credential = new UsernamePasswordCredentials("username", new
>>> Password(password));
>>> identityManager.validateCredentials(credential);
>>>
>>> But I think that might exist something on PicketLink to verify if the
>>> session exists, before reset user's password.
>>>
>>> Any ideas?
>>>
>>> -- abstractj
>>>

More information about the security-dev mailing list