Farah Juma created ELY-553: ------------------------------ Summary: Make use of realm events to handle OTP timeout updates Key: ELY-553 URL: https://issues.jboss.org/browse/ELY-553 Project: WildFly Elytron Issue Type: Feature Request Components: SASL Reporter: Farah Juma Assignee: Farah Juma For the OTP SASL mechanism, we need to protect against race attacks, as described in [RFC 2289|https://tools.ietf.org/html/rfc2289#section-9.0]. The approach {{OTPSaslServer}} [currently takes|https://github.com/wildfly-security/wildfly-elytron/blob/master/src...] to defend against such attacks is the one suggested in RFC 2289, i.e., we prevent multiple simultaneous authentication sessions for a user. This means that once a legitimate user has started the authentication process, an attacker would be blocked until that first authentication process finishes. With this approach, a timeout is needed in order to prevent a denial of service attack. We could store the timeout info for a user via a {{RealmIdentity}} attribute as in [PR #277|https://github.com/wildfly-security/wildfly-elytron/pull/277]. We could then add support for a new event that indicates a timeout attribute change for a realm identity and then handle a {{TimeoutUpdateCallback}} by handling this new event. -- This message was sent by Atlassian JIRA (v6.4.11#64026)