[security-dev] Reseting passwords
Pedro Igor Silva
psilva at redhat.com
Tue Aug 6 06:38:33 EDT 2013
+1
----- Original Message -----
From: "Bill Burke" <bburke at redhat.com>
To: security-dev at lists.jboss.org
Sent: Monday, August 5, 2013 6:45:18 PM
Subject: Re: [security-dev] Reseting passwords
IMO, the IDM API is a low-level API. What you're suggesting should be
handled by the subsystem invoking the IDM API.
BTW, beta6 has drastically changed the API, so you might want to update :)
On 8/5/2013 5:09 PM, Bruno Oliveira wrote:
> Good morning, on AeroGear we have the following scenario with PicketLink
> beta5:
>
> - Default user "admin" which must change her password at first
> deployment, otherwise she will not be able to login
>
> During the startup we have the following piece of code:
>
> @Singleton
> @Startup
> public class PicketLinkDefaultUsers {
>
> @Inject
> private IdentityManager identityManager;
>
> @PostConstruct
> public void create() {
>
> User adminUser = identityManager.getUser("admin");
>
> Developer admin = new Developer();
> admin.setLoginName("admin");
>
> this.identityManager.add(admin);
> this.identityManager.updateCredential(admin, new
> Password("123"), new Date(), expirationDate());
>
> Role roleDeveloper = new SimpleRole("admin");
> this.identityManager.add(roleDeveloper);
> identityManager.grantRole(admin, roleDeveloper);
>
> }
>
> //Expiration date of the password
> private Date expirationDate() {
> Calendar expirationDate = Calendar.getInstance();
> expirationDate.add(Calendar.HOUR, -1);
> return expirationDate.getTime();
> }
> }
>
> On login:
>
> public boolean login(User user, String password) {
>
> credentials.setUserId(user.getLoginName());
> credentials.setCredential(new Password(password));
>
> if (identity.login() != Identity.AuthenticationResult.SUCCESS) {
> return false;
> }
>
> return true;
> }
>
> Now to reset the password:
>
> this.identityManager.updateCredential(admin, new Password(newPassword));
>
> And here comes my question. At least to me it looks like is possible to
> change admin's password by just guessing the username, my concern is
> about an attacker being able to escalate privileges (I can be wrong). On
> PicketLink do we have something internally like password matching? Or
> maybe some mechanism to force user to change their password upon first
> login? For example (just a very stupid example):
>
> this.identityManager.updateCredential(admin, oldPassword, newPassword);
>
> The correct solution (I guess) would be to check if that user has
> already logged in and force admin to supply the new password, but the
> method isLoggedIn will return false for credentials with status EXPIRED.
>
> An alternative with the current scenario (maybe is just the lack of
> knowledge in API usability) would be to validate and check credential
> status.
>
> Credentials credential = new UsernamePasswordCredentials("username", new
> Password(password));
> identityManager.validateCredentials(credential);
>
> But I think that might exist something on PicketLink to verify if the
> session exists, before reset user's password.
>
> Any ideas?
>
> -- abstractj
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
security-dev mailing list
security-dev at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/security-dev
More information about the security-dev
mailing list