[security-dev] PLINK-84 - Login can be bypassed with any user after a first successful login

Bruno Oliveira bruno at abstractj.org
Tue Jan 29 20:50:49 EST 2013 

We don't have such features or requirements, we just found this issue during our tests. 

The verification for a user already logged in exists, but at least for me in an strange behaviour when you set a new credential, invoke login again and user is successfully authenticated.  



-- 
"The measure of a man is what he does with power" - Plato
-
@abstractj
-
Volenti Nihil Difficile



On Tuesday, January 29, 2013 at 9:19 PM, Anil Saldhana wrote:

> Shane,
> this is not a bug rather a feature request.
> 
> Aerogear has the following sequence:
> 
> credential.setCredential(x);
> identity.login();
> credential.setCredential(y);
> identity.login();
> 
> Aerogear wants PicketLink to reauthenticate during the second login() 
> call. Currently
> it will not because the first login() established a User instance and 
> subsequent login()
> calls will just bypass the auth process.
> 
> Regards,
> Anil
> 
> On 01/29/2013 04:03 PM, Shane Bryzak wrote:
> > Is picketlink-core being used for authentication? The default Identity
> > implementation should already protect against this kind of thing:
> > 
> > if (isLoggedIn())
> > {
> > if (isAuthenticationRequestWithDifferentUserId())
> > {
> > throw new UnexpectedCredentialException("active
> > user: " + this.user.getId() +
> > " provided credentials: " +
> > this.loginCredential.getUserId());
> > }
> > 
> > beanManager.fireEvent(new AlreadyLoggedInEvent());
> > return AuthenticationResult.SUCCESS;
> > }
> > 
> > On 30/01/13 06:58, Anil Saldhana wrote:
> > > From what I understand from JIRA comments, the use case boils down to
> > > use of additional credentials after a successful authentication.
> > > 
> > > I am thinking maybe the authentication process should register the type
> > > of credential last used and if subsequent login() calls happen on the
> > > identity, then a change of credential (via the credential.setCredential)
> > > should trigger an authentication process.
> > > 
> > > Unless the credential type has changed, I am unsure why we need to
> > > perform another authentication when the user has already authenticated
> > > and the session is active.
> > > 
> > > Thoughts/feedback?
> > > 
> > > On 01/29/2013 08:28 AM, Bruno Oliveira wrote:
> > > > Good morning everybody, I'm not sure if this jira was filled correctly https://issues.jboss.org/browse/PLINK-84
> > > > 
> > > > Let me know.
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org (mailto:security-dev at lists.jboss.org)
> https://lists.jboss.org/mailman/listinfo/security-dev

More information about the security-dev mailing list