Re: Differentiating unknown user and known user with wrong password ?

Tue, 25 Oct 2016 04:09:25 -0700 

On 25/10/2016 09:18, Mani, Vellingiri (Nokia - IN) wrote:


Hi Francesco,


I added *suspended* to authentication.statuses parameter but still the 
response is  “*401 Unauthorized*”.




Sorry, my bad: I did not check the actual code, e.g.

https://github.com/apache/syncope/blob/syncope-2.0.1/core/spring/src/main/java/org/apache/syncope/core/spring/security/AuthDataAccessor.java#L138-L145


which first forbids accessing when suspended then checks for 
authentication.statuses.


I have also added a warning about this to the SNAPSHOT docs:

https://ci.apache.org/projects/syncope/reference-guide.html#configuration-parameters

Hope this clarifies.
Regards.


*From:*Francesco Chicchiriccò [mailto:[email protected]]
*Sent:* Monday, October 24, 2016 8:30 PM
*To:* [email protected]

*Subject:* Re: Differentiating unknown user and known user with wrong 
password ?


On 24/10/2016 16:52, Mani, Vellingiri (Nokia - IN) wrote:

    Hi Francesco,

    I understand. For suspended user, the response is 401. Is it for
    the same reason ?



Not quite: this is because of the authentication.statuses 
configuration parameter


https://syncope.apache.org/docs/reference-guide.html#configuration-parameters


which does not contain 'suspended' by default; when you add it to the 
list of supported statues for authentication, suspended users will be 
able to authenticate themselves.


HTH
Regards.


    *From:*Francesco Chicchiriccò [mailto:[email protected]]

    *Sent:*Monday, October 24, 2016 12:44 PM
    *To:* [email protected] <mailto:[email protected]>
    *Subject:* Re: Differentiating unknown user and known user with
    wrong password ?

    On 22/10/2016 16:59, Mani, Vellingiri (Nokia - IN) wrote:

        Hi,

        Same response code(401) from Syncope during
        self-authentication [1] for both unknown user and known user
        with wrong password.

        [1] http://10.10.10.10:8080/syncope/rest/users/self
        <http://10.10.10.10:8080/syncope/rest/users/self>

        How can we distinguish between the unknown user and the known
        user with wrong password ?


    This is on purpose: if there were different HTTP statuses, an
    attacker could exploit it to enumerate the existing users.

    Having said that, and even if I would not advice it, there is the
    chance to override such behaviour - in Syncope there is always a
    mean to override ;-) - by tweaking the Spring Security
    configuration: see some recent e-mail about this topic for more
    details.

    Regards.



--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/























					Reply via email to