[security-dev] Reseting passwords

Bill Burke bburke at redhat.com
Mon Aug 5 17:45:18 EDT 2013


IMO, the IDM API is a low-level API.  What you're suggesting should be 
handled by the subsystem invoking the IDM API.

BTW, beta6 has drastically changed the API, so you might want to update :)

On 8/5/2013 5:09 PM, Bruno Oliveira wrote:
> Good morning, on AeroGear we have the following scenario with PicketLink
> beta5:
>
> - Default user  "admin" which must change her password at first
> deployment, otherwise she will not be able to login
>
> During the startup we have the following piece of code:
>
> @Singleton
> @Startup
> public class PicketLinkDefaultUsers {
>
>      @Inject
>      private IdentityManager identityManager;
>
>      @PostConstruct
>      public void create() {
>
>          User adminUser = identityManager.getUser("admin");
>
>          Developer admin = new Developer();
>          admin.setLoginName("admin");
>
>          this.identityManager.add(admin);
>          this.identityManager.updateCredential(admin, new
> Password("123"), new Date(), expirationDate());
>
>          Role roleDeveloper = new SimpleRole("admin");
>          this.identityManager.add(roleDeveloper);
>          identityManager.grantRole(admin, roleDeveloper);
>
>      }
>
>      //Expiration date of the password
>      private Date expirationDate() {
>          Calendar expirationDate = Calendar.getInstance();
>          expirationDate.add(Calendar.HOUR, -1);
>          return expirationDate.getTime();
>      }
> }
>
> On login:
>
> public boolean login(User user, String password) {
>
>          credentials.setUserId(user.getLoginName());
>          credentials.setCredential(new Password(password));
>
>          if (identity.login() != Identity.AuthenticationResult.SUCCESS) {
>              return false;
>          }
>
>          return true;
>   }
>
> Now to reset the password:
>
> this.identityManager.updateCredential(admin, new Password(newPassword));
>
> And here comes my question. At least to me it looks like is possible to
> change admin's password by just guessing the username, my concern is
> about an attacker being able to escalate privileges (I can be wrong). On
> PicketLink do we have something internally like password matching? Or
> maybe some mechanism to force user to change their password upon first
> login? For example (just a very stupid example):
>
> this.identityManager.updateCredential(admin, oldPassword, newPassword);
>
> The correct solution (I guess) would be to check if that user has
> already logged in and force admin to supply the new password, but the
> method isLoggedIn will return false for credentials with status EXPIRED.
>
> An alternative with the current scenario (maybe is just the lack of
> knowledge in API usability) would be to validate and check credential
> status.
>
> Credentials credential = new UsernamePasswordCredentials("username", new
> Password(password));
> identityManager.validateCredentials(credential);
>
> But I think that might exist something on PicketLink to verify if the
> session exists, before reset user's password.
>
> Any ideas?
>
> -- abstractj
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the security-dev mailing list