<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 01/30/2013 09:33 AM, Bruno Oliveira
wrote:<br>
</div>
<blockquote
cite="mid:D8EE1181D8E54600BED0CD68F1B4D9FD@abstractj.org"
type="cite">
<div class="moz-text-plain" wrap="true" graphical-quote="true"
style="font-family: -moz-fixed; font-size: 12px;"
lang="x-unicode">
<pre wrap="">So if I'm a bank where the user account is logged in, this user has just forgot to 'logout'. Another person using his computer can just bypass the login, because the session still exists? </pre>
</div>
</blockquote>
Banks get over this by frequently being proactive using Javascript.
If the user has been idle for a minute, they give out a warning and
if there is no response, they log out the user.<br>
<br>
<blockquote
cite="mid:D8EE1181D8E54600BED0CD68F1B4D9FD@abstractj.org"
type="cite">
<div class="moz-text-plain" wrap="true" graphical-quote="true"
style="font-family: -moz-fixed; font-size: 12px;"
lang="x-unicode">
<pre wrap="">
Another scenario, I'm at the same network of John, running my whatever-sniffer, then is just a matter of grab the current session ID and login? Am I wrong? Because If understood correctly, after user login, even if I invoke this method for a second time, what really matters is the session ID.
</pre>
</div>
</blockquote>
https/ssl should be mandatory for all critical web applications.
Just have a HTTP Header agent installed for your browser. Your
passwords are in the clear in the http header agent if you do not
use https.<br>
<br>
<blockquote
cite="mid:D8EE1181D8E54600BED0CD68F1B4D9FD@abstractj.org"
type="cite">
<div class="moz-text-plain" wrap="true" graphical-quote="true"
style="font-family: -moz-fixed; font-size: 12px;"
lang="x-unicode">
<pre wrap="">
I'm confused.
<div class="moz-txt-sig">--
"The measure of a man is what he does with power" - Plato
-
@abstractj
-
Volenti Nihil Difficile
On Wednesday, January 30, 2013 at 1:17 PM, Anil Saldhana wrote:
</div></pre>
<blockquote type="cite" style="color: #C0C0C0;">
<pre wrap=""><span class="moz-txt-citetags">> </span>On 01/29/2013 08:08 PM, Douglas Campos wrote:
</pre>
<blockquote type="cite" style="color: #C0C0C0;">
<pre wrap=""><span class="moz-txt-citetags">> > </span>On Tue, Jan 29, 2013 at 05:19:23PM -0600, Anil Saldhana wrote:
</pre>
<blockquote type="cite" style="color: #C0C0C0;">
<pre wrap=""><span class="moz-txt-citetags">> > > </span>Shane,
<span class="moz-txt-citetags">> > > </span>this is not a bug rather a feature request.
</pre>
</blockquote>
<pre wrap=""><span class="moz-txt-citetags">> > </span>
<span class="moz-txt-citetags">> > </span>
<span class="moz-txt-citetags">> > </span>it's a bug
</pre>
<blockquote type="cite" style="color: #C0C0C0;">
<pre wrap=""><span class="moz-txt-citetags">> > > </span>Aerogear has the following sequence:
<span class="moz-txt-citetags">> > > </span>
<span class="moz-txt-citetags">> > > </span>credential.setCredential(x);
<span class="moz-txt-citetags">> > > </span>identity.login();
<span class="moz-txt-citetags">> > > </span>credential.setCredential(y);
<span class="moz-txt-citetags">> > > </span>identity.login();
<span class="moz-txt-citetags">> > > </span>
<span class="moz-txt-citetags">> > > </span>Aerogear wants PicketLink to reauthenticate during the second login()
<span class="moz-txt-citetags">> > > </span>call. Currently
<span class="moz-txt-citetags">> > > </span>it will not because the first login() established a User instance and
<span class="moz-txt-citetags">> > > </span>subsequent login()
<span class="moz-txt-citetags">> > > </span>calls will just bypass the auth process.
</pre>
</blockquote>
<pre wrap=""><span class="moz-txt-citetags">> > </span>
<span class="moz-txt-citetags">> > </span>
<span class="moz-txt-citetags">> > </span>If my API doesn't do the login process on the login() call, am I not
<span class="moz-txt-citetags">> > </span>failing with the "least surprise principle"? If it doesn't do all the
<span class="moz-txt-citetags">> > </span>login procedure when called, better rename it then: mayLogin(),
<span class="moz-txt-citetags">> > </span>loginWithCaching() or anything like this.
</pre>
</blockquote>
<pre wrap=""><span class="moz-txt-citetags">> </span>
<span class="moz-txt-citetags">> </span>
<span class="moz-txt-citetags">> </span>Your usage:
<span class="moz-txt-citetags">> </span>
<span class="moz-txt-citetags">> </span>User user = null;
<span class="moz-txt-citetags">> </span>AuthenticationResult result = identity.login();
<span class="moz-txt-citetags">> </span>if(result == AuthenticationResult.SUCCESS){
<span class="moz-txt-citetags">> </span>user = identity.getUser();
<span class="moz-txt-citetags">> </span>} else {
<span class="moz-txt-citetags">> </span>throw new RuntimeException("Authentication Failed");
<span class="moz-txt-citetags">> </span>}
<span class="moz-txt-citetags">> </span>
<span class="moz-txt-citetags">> </span>//Now identity has an user
<span class="moz-txt-citetags">> </span>//Irrespective of what you want to put in credential, you are
<span class="moz-txt-citetags">> </span>authenticated already until you logout
<span class="moz-txt-citetags">> </span>result = identity.login();
<span class="moz-txt-citetags">> </span>//result is always SUCCESS.
<span class="moz-txt-citetags">> </span>
</pre>
<blockquote type="cite" style="color: #C0C0C0;">
<pre wrap=""><span class="moz-txt-citetags">> > </span>
<span class="moz-txt-citetags">> > </span>IMO, this is not only wrong, but I think it can be used as a potential
<span class="moz-txt-citetags">> > </span>attack vector.
</pre>
</blockquote>
<pre wrap=""><span class="moz-txt-citetags">> </span>
<span class="moz-txt-citetags">> </span>
<span class="moz-txt-citetags">> </span>How?
</pre>
<blockquote type="cite" style="color: #C0C0C0;">
<pre wrap=""><span class="moz-txt-citetags">> > </span>
<span class="moz-txt-citetags">> > </span>-- qmx
</pre>
</blockquote>
<pre wrap=""><span class="moz-txt-citetags">> </span>_______________________________________________
<span class="moz-txt-citetags">> </span>security-dev mailing list
<span class="moz-txt-citetags">> </span><a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:security-dev@lists.jboss.org">security-dev@lists.jboss.org</a> (<a moz-do-not-send="true" class="moz-txt-link-freetext" href="mailto:security-dev@lists.jboss.org">mailto:security-dev@lists.jboss.org</a>)
<span class="moz-txt-citetags">> </span><a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/security-dev">https://lists.jboss.org/mailman/listinfo/security-dev</a>
</pre>
</blockquote>
<pre wrap="">
</pre>
</div>
</blockquote>
<br>
</body>
</html>