date:20161024

Re: Differentiating unknown user and known user with wrong password ?

2016-10-24 Thread Francesco Chicchiriccò


On 24/10/2016 16:52, Mani, Vellingiri (Nokia - IN) wrote:


Hi Francesco,

I understand. For suspended user, the response is 401. Is it for the 
same reason ?




Not quite: this is because of the authentication.statuses configuration 
parameter


https://syncope.apache.org/docs/reference-guide.html#configuration-parameters

which does not contain 'suspended' by default; when you add it to the 
list of supported statues for authentication, suspended users will be 
able to authenticate themselves.


HTH
Regards.


*From:*Francesco Chicchiriccò [mailto:ilgro...@apache.org]

*Sent:* Monday, October 24, 2016 12:44 PM
*To:* user@syncope.apache.org
*Subject:* Re: Differentiating unknown user and known user with wrong 
password ?


On 22/10/2016 16:59, Mani, Vellingiri (Nokia - IN) wrote:

Hi,

Same response code(401) from Syncope during self-authentication
[1] for both unknown user and known user with wrong password.

[1] http://10.10.10.10:8080/syncope/rest/users/self


How can we distinguish between the unknown user and the known user
with wrong password ?


This is on purpose: if there were different HTTP statuses, an attacker 
could exploit it to enumerate the existing users.


Having said that, and even if I would not advice it, there is the 
chance to override such behaviour - in Syncope there is always a mean 
to override ;-) - by tweaking the Spring Security configuration: see 
some recent e-mail about this topic for more details.


Regards.


--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Differentiating unknown user and known user with wrong password ?

2016-10-24 Thread Francesco Chicchiriccò


On 24/10/2016 16:52, Mani, Vellingiri (Nokia - IN) wrote:


Hi Francesco,

I understand. For suspended user, the response is 401. Is it for the 
same reason ?




Not quite: this is because of the authentication.statuses configuration 
parameter


https://syncope.apache.org/docs/reference-guide.html#configuration-parameters

which does not contain 'suspended' by default; when you add it to the 
list of supported statues for authentication, suspended users will be 
able to authenticate themselves.


HTH
Regards.


*From:*Francesco Chicchiriccò [mailto:ilgro...@apache.org]

*Sent:* Monday, October 24, 2016 12:44 PM
*To:* user@syncope.apache.org
*Subject:* Re: Differentiating unknown user and known user with wrong 
password ?


On 22/10/2016 16:59, Mani, Vellingiri (Nokia - IN) wrote:

Hi,

Same response code(401) from Syncope during self-authentication
[1] for both unknown user and known user with wrong password.

[1] http://10.10.10.10:8080/syncope/rest/users/self


How can we distinguish between the unknown user and the known user
with wrong password ?


This is on purpose: if there were different HTTP statuses, an attacker 
could exploit it to enumerate the existing users.


Having said that, and even if I would not advice it, there is the 
chance to override such behaviour - in Syncope there is always a mean 
to override ;-) - by tweaking the Spring Security configuration: see 
some recent e-mail about this topic for more details.


Regards.


--
Francesco Chicchiriccò
Tel +393290573276

Amministratore unico @ Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

"To Iterate is Human, to Recurse, Divine"
(James O. Coplien, Bell Labs)

RE: Differentiating unknown user and known user with wrong password ?

2016-10-24 Thread Mani, Vellingiri (Nokia - IN)

Hi Francesco,

I understand. For suspended user, the response is 401. Is it for the same 
reason ?

Regards,
Vellingiri

From: Francesco Chicchiriccò [mailto:ilgro...@apache.org]
Sent: Monday, October 24, 2016 12:44 PM
To: user@syncope.apache.org
Subject: Re: Differentiating unknown user and known user with wrong password ?

On 22/10/2016 16:59, Mani, Vellingiri (Nokia - IN) wrote:
Hi,

Same response code(401) from Syncope during self-authentication [1] for both 
unknown user and known user with wrong password.
[1] http://10.10.10.10:8080/syncope/rest/users/self

How can we distinguish between the unknown user and the known user with wrong 
password ?

This is on purpose: if there were different HTTP statues, an attacker could 
exploit it to enumerate the existing users.

Having said that, and even if I would not advice it, there is the chance to 
override such behaviour - in Syncope there is always a mean to override ;-) - 
by tweaking the Spring Security configuration: see some recent e-mail about 
this topic for more details.

Regards.


--

Francesco Chicchiriccò



Tirasa - Open Source Excellence

http://www.tirasa.net/



Member at The Apache Software Foundation

Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail

http://home.apache.org/~ilgrosso/

[ANN] Apache Syncope 2.0.1 released

2016-10-24 Thread Francesco Chicchiriccò


The Apache Syncope team is pleased to announce the release of Syncope 2.0.1.

Apache Syncope is an Open Source system for managing digital identities
in enterprise environments, implemented in Java EE technology .

The release will be available within 24h from:
http://syncope.apache.org/downloads.html

The full change log is available here:
https://s.apache.org/syncope201

We welcome your help and feedback. For more information on how to report
problems, and to get involved, visit the project website at

http://syncope.apache.org/

The Apache Syncope Team

Re: Differentiating unknown user and known user with wrong password ?

2016-10-24 Thread Francesco Chicchiriccò


On 22/10/2016 16:59, Mani, Vellingiri (Nokia - IN) wrote:


Hi,

Same response code(401) from Syncope during self-authentication [1] 
for both unknown user and known user with wrong password.


[1] http://10.10.10.10:8080/syncope/rest/users/self 



How can we distinguish between the unknown user and the known user 
with wrong password ?




This is on purpose: if there were different HTTP statues, an attacker 
could exploit it to enumerate the existing users.


Having said that, and even if I would not advice it, there is the chance 
to override such behaviour - in Syncope there is always a mean to 
override ;-) - by tweaking the Spring Security configuration: see some 
recent e-mail about this topic for more details.


Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Differentiating unknown user and known user with wrong password ?

Re: Differentiating unknown user and known user with wrong password ?

RE: Differentiating unknown user and known user with wrong password ?

[ANN] Apache Syncope 2.0.1 released

Re: Differentiating unknown user and known user with wrong password ?

5 matches

Site Navigation

Mail list logo

Footer information