[
https://jira.jboss.org/jira/browse/SECURITY-255?page=com.atlassian.jira.p...
]
Anil Saldhana updated SECURITY-255:
-----------------------------------
Component/s: Negotiation
(was: JBossSX)
Fix Version/s: Negotiation_2.0.4.GA
(was: JBossSecurity_2.0.4)
Assignee: Darran Lofthouse (was: Anil Saldhana)
IdentityLoginModule Incomplete password-stacking useFirstPass
implementation
----------------------------------------------------------------------------
Key: SECURITY-255
URL:
https://jira.jboss.org/jira/browse/SECURITY-255
Project: JBoss Security and Identity Management
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Negotiation
Affects Versions: 2.0.2.CR6
Reporter: Darran Lofthouse
Assignee: Darran Lofthouse
Fix For: Negotiation_2.0.4.GA
The IdentityLoginModule has got an incomplete useFirstPass implementation.
The login() method does start with: -
if( super.login() == true )
return true;
To skip login if useFirstPass is set and authentication has already occurred.
However at the end of login() setting the principal in the shared state map should only
happen if useFirstPass was set.
Also for this to work a credential also needs to be stored in the sharedStateMap
otherwise other modules will assume authentication has not occurred.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira