Re: [security-dev] PLINK-84 - Login can be bypassed with any user after a first successful login
Is picketlink-core being used for authentication? The default Identity
implementation should already protect against this kind of thing:
if (isLoggedIn())
{
if (isAuthenticationRequestWithDifferentUserId())
{
throw new UnexpectedCredentialException("active
user: " + this.user.getId() +
" provided credentials: " +
this.loginCredential.getUserId());
}
beanManager.fireEvent(new AlreadyLoggedInEvent());
return AuthenticationResult.SUCCESS;
}
On 30/01/13 06:58, Anil Saldhana wrote:
From what I understand from JIRA comments, the use case boils down
to
use of additional credentials after a successful authentication.
I am thinking maybe the authentication process should register the type
of credential last used and if subsequent login() calls happen on the
identity, then a change of credential (via the credential.setCredential)
should trigger an authentication process.
Unless the credential type has changed, I am unsure why we need to
perform another authentication when the user has already authenticated
and the session is active.
Thoughts/feedback?
On 01/29/2013 08:28 AM, Bruno Oliveira wrote:
> Good morning everybody, I'm not sure if this jira was filled correctly
https://issues.jboss.org/browse/PLINK-84
>
> Let me know.
>
>
_______________________________________________
security-dev mailing list
security-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/security-dev