<div>
Thanks Anil.
</div>
<div><div><br></div><div><br></div><div><div>-- </div><div>"The measure of a man is what he does with power" - Plato</div><div>-</div><div>@abstractj</div><div>-</div><div>Volenti Nihil Difficile</div></div></div>
<p style="color: #A0A0A8;">On Thursday, January 31, 2013 at 1:07 PM, Anil Saldhana wrote:</p>
<blockquote type="cite" style="border-left-style:solid;border-width:1px;margin-left:0px;padding-left:10px;">
<span><div><div>
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
<div>Ok. We throw an exception now if there
is a second login() call on an already authenticated session.<br>
<br>
On 01/31/2013 07:25 AM, Bruno Oliveira wrote:<br>
</div><blockquote type="cite"><div>
<div wrap="true" graphical-quote="true" style="font-family: -moz-fixed; font-size: 12px;" lang="x-western">
<pre wrap="">Exactly! That's my point!
Thanks Marek.
<div>--
"The measure of a man is what he does with power" - Plato
-
@abstractj
-
Volenti Nihil Difficile
On Thursday, January 31, 2013 at 8:40 AM, Marek Posolda wrote:
</div></pre><blockquote type="cite"><div>
<pre wrap=""><span>> </span>In Servlet 3.0 specification, method HttpServletRequest.login(username,
<span>> </span>password) stated in javadoc that it throws exception if someone is
<span>> </span>trying to login on already authenticated session. Javadoc looks like this:
<span>> </span>
<span>> </span>* @exception ServletException if the configured login mechanism
<span>> </span>* does not support username
<span>> </span>* password authentication, or
<span>> </span>if a
<span>> </span>* non-null caller identity had
<span>> </span>* already been established
<span>> </span>(prior
<span>> </span>* to the call to login), or if
<span>> </span>* validation of the provided
<span>> </span>* username and password fails.
<span>> </span>
<span>> </span>Indeed throwing exception seems to me like best approach in this case. I
<span>> </span>think that if someone wants to login again with different credentials,
<span>> </span>he should first logout before second login. So usecase could be like:
<span>> </span>
<span>> </span>credential.setCredential(x);
<span>> </span>identity.login();
<span>> </span>// Do something with identity 'x'
<span>> </span>identity.logout();
<span>> </span>
<span>> </span>credential.setCredential(y);
<span>> </span>identity.login();
<span>> </span>// Do something with identity 'y'
<span>> </span>
<span>> </span>
<span>> </span>
<span>> </span>Marek
<span>> </span>
<span>> </span>On 31/01/13 01:58, Jess Sightler wrote:
</pre><blockquote type="cite"><div>
<pre wrap=""><span>> > </span>I see no reason why someone would call login again on an already authenticated session. I believe that Seam 2.x used to catch this and throw an exception (though I could be misremembering). Personally, I would prefer an exception over silently ignoring the call or an option such as the one below.
<span>> > </span>
<span>> > </span>Unless there is a valid reason to call .login again?
<span>> > </span>
<span>> > </span>----- Original Message -----
</pre><blockquote type="cite"><div>
<pre wrap=""><span>> > > </span>From: "Anil Saldhana" <a moz-do-not-send="true" href="mailto:Anil.Saldhana@redhat.com%28mailto:Anil.Saldhana@redhat.com%29"><Anil.Saldhana@redhat.com (mailto:Anil.Saldhana@redhat.com)></a>
<span>> > > </span>To: <a moz-do-not-send="true" href="mailto:security-dev@lists.jboss.org">security-dev@lists.jboss.org</a> (<a moz-do-not-send="true" href="mailto:security-dev@lists.jboss.org">mailto:security-dev@lists.jboss.org</a>)
<span>> > > </span>Sent: Wednesday, January 30, 2013 7:31:33 PM
<span>> > > </span>Subject: Re: [security-dev] PLINK-84 - Login can be bypassed with any user after a first successful login
<span>> > > </span>
<span>> > > </span>
<span>> > > </span>
<span>> > > </span>Actually, I do not see a problem in customizing the behavior of
<span>> > > </span>repeated login() method calls:
<span>> > > </span>
<span>> > > </span>something like:
<span>> > > </span>
<span>> > > </span>identity.setOption(Option.LOGIN_REPEAT);
<span>> > > </span>credential.setCredential(x);
<span>> > > </span>identity.login();
<span>> > > </span>credential.setCredential(y);
<span>> > > </span>identity.login();
<span>> > > </span>
<span>> > > </span>If the option is set, then the second call of login() will
<span>> > > </span>authenticate again.
<span>> > > </span>
<span>> > > </span>By default, we want to maintain the session behavior. But if Aerogear
<span>> > > </span>wants repeated login() logic, they should be able to set it in the
<span>> > > </span>option?
<span>> > > </span>
<span>> > > </span>Feedback?
<span>> > > </span>
<span>> > > </span>On 01/30/2013 11:47 AM, Bruno Oliveira wrote:
<span>> > > </span>
<span>> > > </span>
<span>> > > </span>
<span>> > > </span>I still don't agree with it, we're giving the benefit of the doubt to
<span>> > > </span>developers. If I have a method which is invoked twice for example
<span>> > > </span>via HTTP request with the following code:
<span>> > > </span>
<span>> > > </span>
<span>> > > </span>
</pre><blockquote type="cite"><div><blockquote type="cite"><div>
<pre wrap=""><span>> > > > > </span>credential.setCredential(x); > > identity.login(); > Login should
<span>> > > > > </span>be validate it again, but if you think that is not a problem,
<span>> > > > > </span>I'm fine.
<span>> > > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > </span>
<span>> > > </span>
<span>> > > </span>Anil, could you please provide the final solution for it? Examples of
<span>> > > </span>usage?
<span>> > > </span>--
<span>> > > </span>"The measure of a man is what he does with power" - Plato
<span>> > > </span>-
<span>> > > </span>@abstractj
<span>> > > </span>-
<span>> > > </span>Volenti Nihil Difficile
<span>> > > </span>
<span>> > > </span>
<span>> > > </span>
<span>> > > </span>On Wednesday, January 30, 2013 at 1:40 PM, Anil Saldhana wrote:
<span>> > > </span>
</pre><blockquote type="cite"><div>
<pre wrap=""><span>> > > > </span>On 01/30/2013 09:33 AM, Bruno Oliveira wrote:
</pre><blockquote type="cite"><div>
<pre wrap=""><span>> > > > > </span>So if I'm a bank where the user account is logged in, this user
<span>> > > > > </span>has just forgot to 'logout'. Another person using his computer
<span>> > > > > </span>can just bypass the login, because the session still exists?
<span>> > > > > </span>Banks get over this by frequently being proactive using
<span>> > > > > </span>Javascript. If the user has been idle for a minute, they give
<span>> > > > > </span>out a warning and if there is no response, they log out the
<span>> > > > > </span>user. > >
<span>> > > > > </span>Another scenario, I'm at the same network of John, running my
<span>> > > > > </span>whatever-sniffer, then is just a matter of grab the current
<span>> > > > > </span>session ID and login? Am I wrong? Because If understood
<span>> > > > > </span>correctly, after user login, even if I invoke this method for a
<span>> > > > > </span>second time, what really matters is the session ID. https/ssl
<span>> > > > > </span>should be mandatory for all critical web applications. Just have
<span>> > > > > </span>a HTTP Header agent installed for your browser. Your passwords
<span>> > > > > </span>are in the clear in the http header agent if you do not use
<span>> > > > > </span>https. >
<span>> > > > > </span>I'm confused. > > -- "The measure of a man is what he does with
<span>> > > > > </span>power" - Plato - @abstractj - Volenti Nihil Difficile On
<span>> > > > > </span>Wednesday, January 30, 2013 at 1:17 PM, Anil Saldhana wrote: > >
<span>> > > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > > </span>
<span>> > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > </span>
<span>> > > </span>
<span>> > > </span>
<span>> > > </span>
</pre><blockquote type="cite" style="color: #C0C0C0;"><blockquote type="cite" style="color: #C0C0C0;"><blockquote type="cite" style="color: #C0C0C0;"><blockquote type="cite"><div>
<pre wrap=""><span>> > > > > > > </span>On 01/29/2013 08:08 PM, Douglas Campos wrote:
</pre>
</div></blockquote></blockquote></blockquote></blockquote><pre wrap=""><span>> > > </span>
<span>> > > </span>
</pre><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div>
<pre wrap=""><span>> > > > > > > > > </span>On Tue, Jan 29, 2013 at 05:19:23PM -0600, Anil Saldhana
<span>> > > > > > > > > </span>wrote:
<span>> > > > > > > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > > > > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > > > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > </span>
<span>> > > </span>
<span>> > > </span>
<span>> > > </span>
</pre><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div>
<pre wrap=""><span>> > > > > > > > > > > </span>Shane, > > > this is not a bug rather a feature
<span>> > > > > > > > > > > </span>request. > > > > > > > > > > > > > > > > > > > > > >
<span>> > > > > > > > > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > > > > > > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > > > > > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > > > > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > > > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > </span>
<span>> > > </span>
<span>> > > </span>
<span>> > > </span>
<span>> > > </span>
<span>> > > </span>
<span>> > > </span>
<span>> > > </span>
<span>> > > </span>
<span>> > > </span>
<span>> > > </span>
<span>> > > </span>
</pre><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div>
<pre wrap=""><span>> > > > > > > > > > > > > </span>it's a bug > > > > > > > > Aerogear has the
<span>> > > > > > > > > > > > > </span>following sequence: > > > > > >
<span>> > > > > > > > > > > > > </span>credential.setCredential(x); > > >
<span>> > > > > > > > > > > > > </span>identity.login(); > > >
<span>> > > > > > > > > > > > > </span>credential.setCredential(y); > > >
<span>> > > > > > > > > > > > > </span>identity.login(); > > > > > > Aerogear wants
<span>> > > > > > > > > > > > > </span>PicketLink to reauthenticate during the second
<span>> > > > > > > > > > > > > </span>login() > > > call. Currently > > > it will not
<span>> > > > > > > > > > > > > </span>because the first login() established a User
<span>> > > > > > > > > > > > > </span>instance and > > > subsequent login() > > >
<span>> > > > > > > > > > > > > </span>calls will just bypass the auth process. > > > >
<span>> > > > > > > > > > > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > > > > > > > > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > > > > > > > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > > > > > > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > > > > > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > > > > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > > > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > </span>
<span>> > > </span>
<span>> > > </span>
<span>> > > </span>
<span>> > > </span>
<span>> > > </span>
<span>> > > </span>
<span>> > > </span>
<span>> > > </span>
<span>> > > </span>
<span>> > > </span>
<span>> > > </span>
</pre><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div>
<pre wrap=""><span>> > > > > > > > > > > > > </span>If my API doesn't do the login process on the
<span>> > > > > > > > > > > > > </span>login() call, am I not > > failing with the
<span>> > > > > > > > > > > > > </span>"least surprise principle"? If it doesn't do all
<span>> > > > > > > > > > > > > </span>the > > login procedure when called, better
<span>> > > > > > > > > > > > > </span>rename it then: mayLogin(), > >
<span>> > > > > > > > > > > > > </span>loginWithCaching() or anything like this. > > >
<span>> > > > > > > > > > > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > > > > > > > > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > > > > > > > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > > > > > > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > > > > > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > > > > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > > > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > </span>
<span>> > > </span>
<span>> > > </span>
<span>> > > </span>
<span>> > > </span>
<span>> > > </span>
</pre><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div>
<pre wrap=""><span>> > > > > > > > > </span>Your usage: > > User user = null; > AuthenticationResult
<span>> > > > > > > > > </span>result = identity.login(); > if(result ==
<span>> > > > > > > > > </span>AuthenticationResult.SUCCESS){ > user =
<span>> > > > > > > > > </span>identity.getUser(); > } else { > throw new
<span>> > > > > > > > > </span>RuntimeException("Authentication Failed"); > } > > //Now
<span>> > > > > > > > > </span>identity has an user > //Irrespective of what you want
<span>> > > > > > > > > </span>to put in credential, you are > authenticated already
<span>> > > > > > > > > </span>until you logout > result = identity.login(); > //result
<span>> > > > > > > > > </span>is always SUCCESS. >
<span>> > > > > > > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > > > > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > > > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > </span>
<span>> > > </span>
<span>> > > </span>
<span>> > > </span>
</pre><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div>
<pre wrap=""><span>> > > > > > > > > > > </span>IMO, this is not only wrong, but I think it can be
<span>> > > > > > > > > > > </span>used as a potential > > attack vector. > > > > > > >
<span>> > > > > > > > > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > > > > > > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > > > > > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > > > > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > > > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > > </span>
</pre>
</div></blockquote><pre wrap=""><span>> > > </span>
<span>> > > </span>
<span>> > > </span>
<span>> > > </span>
<span>> > > </span>
<span>> > > </span>
</pre><blockquote type="cite" style="color: #C0C0C0;"><blockquote type="cite" style="color: #C0C0C0;"><blockquote type="cite" style="color: #C0C0C0;"><blockquote type="cite" style="color: #C0C0C0;"><blockquote type="cite" style="color: #C0C0C0;"><blockquote type="cite"><div>
<pre wrap=""><span>> > > > > > > > > </span>How?
</pre>
</div></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><pre wrap=""><span>> > > </span>
<span>> > > </span>
</pre><blockquote type="cite" style="color: #C0C0C0;"><blockquote type="cite" style="color: #C0C0C0;"><blockquote type="cite" style="color: #C0C0C0;"><blockquote type="cite" style="color: #C0C0C0;"><blockquote type="cite" style="color: #C0C0C0;"><blockquote type="cite" style="color: #C0C0C0;"><blockquote type="cite" style="color:
#C0C0C0;"><blockquote type="cite"><div>
<pre wrap=""><span>> > > > > > > > > > > </span>-- qmx > > > > > > > > > > > > > > > > > > > > > > >
</pre>
</div></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote></div></blockquote></div></blockquote></div></blockquote></div>
</div></blockquote></div><div><div>_______________________________________________</div><div>security-dev mailing list</div><div><a href="mailto:security-dev@lists.jboss.org">security-dev@lists.jboss.org</a></div><div><a href="https://lists.jboss.org/mailman/listinfo/security-dev">https://lists.jboss.org/mailman/listinfo/security-dev</a></div></div></div></span>
</blockquote>
<div>
<br>
</div>