[security-dev] PLINK-84 - Login can be bypassed with any user after a first successful login
Anil Saldhana
Anil.Saldhana at redhat.com
Tue Jan 29 18:19:23 EST 2013
Shane,
this is not a bug rather a feature request.
Aerogear has the following sequence:
credential.setCredential(x);
identity.login();
credential.setCredential(y);
identity.login();
Aerogear wants PicketLink to reauthenticate during the second login()
call. Currently
it will not because the first login() established a User instance and
subsequent login()
calls will just bypass the auth process.
Regards,
Anil
On 01/29/2013 04:03 PM, Shane Bryzak wrote:
> Is picketlink-core being used for authentication? The default Identity
> implementation should already protect against this kind of thing:
>
> if (isLoggedIn())
> {
> if (isAuthenticationRequestWithDifferentUserId())
> {
> throw new UnexpectedCredentialException("active
> user: " + this.user.getId() +
> " provided credentials: " +
> this.loginCredential.getUserId());
> }
>
> beanManager.fireEvent(new AlreadyLoggedInEvent());
> return AuthenticationResult.SUCCESS;
> }
>
> On 30/01/13 06:58, Anil Saldhana wrote:
>> From what I understand from JIRA comments, the use case boils down to
>> use of additional credentials after a successful authentication.
>>
>> I am thinking maybe the authentication process should register the type
>> of credential last used and if subsequent login() calls happen on the
>> identity, then a change of credential (via the credential.setCredential)
>> should trigger an authentication process.
>>
>> Unless the credential type has changed, I am unsure why we need to
>> perform another authentication when the user has already authenticated
>> and the session is active.
>>
>> Thoughts/feedback?
>>
>> On 01/29/2013 08:28 AM, Bruno Oliveira wrote:
>>> Good morning everybody, I'm not sure if this jira was filled correctly https://issues.jboss.org/browse/PLINK-84
>>>
>>> Let me know.
>>>
>>>
>>>
More information about the security-dev
mailing list