[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-3972) identity login security bug
by David Croe (JIRA)
identity login security bug
---------------------------
Key: JBSEAM-3972
URL: https://jira.jboss.org/jira/browse/JBSEAM-3972
Project: Seam
Issue Type: Bug
Components: Security
Affects Versions: 2.1.1.GA
Environment: jboss 4.2.3.
Reporter: David Croe
Hello !
I think there is a major security bug in the seamspace example, which will give a user the permissions of the user which has been logged in before.
To reproduce the scenario:
1. login in as user demo.
2. click the back button or enter the login page manually in the url of your browser
3. login as another user.
the second user will have the admin permissions of the demo user!
Problem is that the authenticate method will not be invoked if you are allready logged in ( even as another user) and the old principal with the assigned permissions will stay in memory.
Greetings
D.Croe
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
13 years, 10 months
[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-3941) IdentityMaanger: extend permission checks to allow user to modify his own password
by Raimund Hölle (JIRA)
IdentityMaanger: extend permission checks to allow user to modify his own password
----------------------------------------------------------------------------------
Key: JBSEAM-3941
URL: https://jira.jboss.org/jira/browse/JBSEAM-3941
Project: Seam
Issue Type: Feature Request
Components: Security
Affects Versions: 2.1.1.GA, 2.1.1.CR2, 2.1.1.CR1, 2.1.0.SP1
Reporter: Raimund Hölle
Priority: Minor
Because IdentityManager.changePassword() requires the permission ("seam.user", "update"), it is not possible to use that method to change the password of the authenticated user itself without granting that permission to him.
But granting that means, the user is able to modify _any_ user.
I'm suggest to add a new permission target (or maybe a new action) and extend the changePassword() method:
public static final String OWNPASSWORD_PERMISSION_NAME = "seam.user.ownpassword";
public boolean changePassword(String name, String password) {
Identity identity = Identity.instance();
try {
identity.checkPermission(USER_PERMISSION_NAME, PERMISSION_UPDATE);
} catch (AuthorizationException e) {
if ( identity.isLoggedIn() && identity.getCredentials().getUsername().equals(name) ) {
Identity.instance().checkPermission(OWNPASSWORD_PERMISSION_NAME, PERMISSION_UPDATE);
} else {
throw e;
}
}
return identityStore.changePassword(name, password);
}
Or maybe a specialized method?
Many regards,
Raimund
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
13 years, 10 months
[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-4452) Enable LdapIdentityStore to access LDAP via SSL
by Marco Brizi (JIRA)
Enable LdapIdentityStore to access LDAP via SSL
-----------------------------------------------
Key: JBSEAM-4452
URL: https://jira.jboss.org/jira/browse/JBSEAM-4452
Project: Seam
Issue Type: Feature Request
Affects Versions: 2.2.0.GA
Environment: Ubuntu 9.04, JBoss AS 5.1.0 GA
Reporter: Marco Brizi
The current LdapIdentityStore offers a good support for integrate an LDAP repository. Unfortunately, at the moment, there is no configuration to access it via SSL.
The minimum support could be done by adding a new boolean attribute (for ex. ssl-enabled) in the ldap-identity-store element to offer the possibility to choose or not a secure communication.
I've tried to implement this extension changing security-2.2.xsd and the LdapIdentityStore class.
In the second file my work has been on new attribute getter/setter and on initialiseContext(String principal, String credentials) method just adding the following lines :
String ldapProtocol = "ldap";
if (isSslEnabled()) {
ldapProtocol = "ldaps";
env.setProperty(Context.SECURITY_PROTOCOL, "ssl");
}
String providerUrl = String.format("%s://%s:%d", ldapProtocol, getServerAddress(), getServerPort());
In addition get the server certificate and set the -D/usr/lib/jvm/java-6-sun=/path/to/keystore as JAVA_OPTS is needed.
At the moment I'm able to initiate the communication with secure LDAP server but the Identity.authenticate causes a "javax.security.auth.login.LoginException: Login Failure: all modules ignored"
The complete stacktrace is attached to the issue.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
13 years, 10 months