[security-dev] PLINK-84 - Login can be bypassed with any user after a first successful login

Anil Saldhana Anil.Saldhana at redhat.com
Tue Jan 29 15:58:28 EST 2013

 From what I understand from JIRA comments, the use case boils down to 
use of additional credentials after a successful authentication.

I am thinking maybe the authentication process should register the type 
of credential last used and if subsequent login() calls happen on the 
identity, then a change of credential (via the credential.setCredential) 
should trigger an authentication process.

Unless the credential type has changed, I am unsure why we need to 
perform another authentication when the user has already authenticated 
and the session is active.


On 01/29/2013 08:28 AM, Bruno Oliveira wrote:
> Good morning everybody, I'm not sure if this jira was filled correctly https://issues.jboss.org/browse/PLINK-84
> Let me know.

More information about the security-dev mailing list