Re: [security-dev] PLINK-84 - Login can be bypassed with any user after a first successful login
The Identity component also fires a AlreadyLoggedInEvent when you call identity.login()
for an already authenticated user. No re-authentication is performed.
Regarding the name, I don't see a problem. But, if you're looking for something
like a runAs behavior, we should definetly provide that.
Regards.
Pedro Igor
----- Original Message -----
From: "Douglas Campos" <qmx(a)qmx.me>
To: "Anil Saldhana" <Anil.Saldhana(a)redhat.com>
Cc: security-dev(a)lists.jboss.org
Sent: Wednesday, January 30, 2013 12:08:19 AM
Subject: Re: [security-dev] PLINK-84 - Login can be bypassed with any user after a first
successful login
On Tue, Jan 29, 2013 at 05:19:23PM -0600, Anil Saldhana wrote:
Shane,
this is not a bug rather a feature request.
it's a bug
Aerogear has the following sequence:
credential.setCredential(x);
identity.login();
credential.setCredential(y);
identity.login();
Aerogear wants PicketLink to reauthenticate during the second login()
call. Currently
it will not because the first login() established a User instance and
subsequent login()
calls will just bypass the auth process.
If my API doesn't do the login process
on the login() call, am I not
failing with the "least surprise principle"? If it doesn't do all the
login procedure when called, better rename it then: mayLogin(),
loginWithCaching() or anything like this.
IMO, this is not only wrong, but I think it can be used as a potential
attack vector.
-- qmx
_______________________________________________
security-dev mailing list
security-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/security-dev