|
| Index | Recent Threads | Unanswered Threads | List Polls | Public Albums | Who's Online | Help |
mvnForum
mvnForum
Bug Report
Thread: Remote authentication bugs MULTIPLE!
|
| No member browsing this thread |
|
Thread Status: Active Total posts in this thread: 4 |
|
| Author |
|
vmax
Stranger Joined: Jul 20, 2004 Post Count: 3 Status: Offline |
1. The problem is because method MyUtil.ensureCorrectCurrentPassword(...) is called from many places in web handlers. no check for authentication type and that authentication is configured passwordless. With remote/realm passwordless authentication current password verification MUST be done via calling verify method in Authenticator (or bypassed) but not against password stored in forum table! Following suggested inplementation of remote authenticator I create copy of user with forum profile but I can't copy there user password because site/realm password can be changed later in realm and I wouldn't have chance to update it in forum table synchronously. 2. with realm and remote authentication login and logout operate wrong... This forum actions MUST be disabled in this cases. Let's say I do login with realm as "Dummy" then do logout in FORUM and do forum login as other user "vano"... Well now in realm I'm still logged in as "dummy" but in forum I'm "vano"... really cool confusing My suggestion is completely separate authentication (name/password) from member profile. and use Authenticator (default or custom implementation) for any password validations and logins... ---------------------------------------- [Edit 1 times, last edit by vmax at Jul 21, 2004 7:27:04 AM] |
||
|
|
minhnn
mvnForum Developer Vietnam Joined: Oct 16, 2002 Post Count: 2956 Status: Offline |
Thanks, I noted to address these issues in the next RC4 ---------------------------------------- Minh Nguyen mvnForum Developer Want a free, open source Java Jsp/Servlet forum, get mvnForum at http://www.mvnForum.com http://www.DienDanLinux.org |
||
|
|
minhnn
mvnForum Developer Vietnam Joined: Oct 16, 2002 Post Count: 2956 Status: Offline |
1. The problem is because method MyUtil.ensureCorrectCurrentPassword(...) is called from many places in web handlers. no check for authentication type and that authentication is configured passwordless. With remote/realm passwordless authentication current password verification MUST be done via calling verify method in Authenticator (or bypassed) but not against password stored in forum table! I fixed it in the RC4_dev today, thanks for report this issue. 2. with realm and remote authentication login and logout operate wrong... This forum actions MUST be disabled in this cases. Let's say I do login with realm as "Dummy" then do logout in FORUM and do forum login as other user "vano"... Well now in realm I'm still logged in as "dummy" but in forum I'm "vano"... really cool confusing In RC4, you can disable login in the forum and mvnForum will only authenticate via Realm or Authenticator ps: you can implement detailed authentication of mvnForum by implement interface OnlineUserFactory ---------------------------------------- Minh Nguyen mvnForum Developer Want a free, open source Java Jsp/Servlet forum, get mvnForum at http://www.mvnForum.com http://www.DienDanLinux.org |
||
|
|
minhnn
mvnForum Developer Vietnam Joined: Oct 16, 2002 Post Count: 2956 Status: Offline |
1. The problem is because method MyUtil.ensureCorrectCurrentPassword(...) is called from many places in web handlers. no check for authentication type and that authentication is configured passwordless. With remote/realm passwordless authentication current password verification MUST be done via calling verify method in Authenticator (or bypassed) but not against password stored in forum table! For your information, this suggestion has been supported in mvnForum since version 1.0.2 GA ---------------------------------------- Minh Nguyen mvnForum Developer Want a free, open source Java Jsp/Servlet forum, get mvnForum at http://www.mvnForum.com http://www.DienDanLinux.org |
||
|
|
|
Current timezone is GMT Jan 7, 2009 4:51:47 PM |