Project

General

Profile

Actions

Bug #6721

closed

Feature #6711: refactoring of lavoisier security

support chaining authentication attempts

Added by Reynaud Sylvain over 10 years ago. Updated about 10 years ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
Service
Target version:
Start date:
04/18/2014
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)

Description

PRE-REQUISITE: we must be able to distinguish abort from failure for each authentication mode.

Authentication attempt is considered as aborted if:
  • X509: usage of protocol HTTP instead of HTTPS
  • PASSWORD: users clics on the button "cancel"
  • IP: the list of authenticated IP does not contain user's IP
  • CAS: to be defined...
Authentication attempt is considered as failed if:
  • X509: CA is unknown
  • PASSWORD: unknown user or wrong password
  • IP: NEVER FAILS !!!
  • CAS: to be defined...
Authentication is considered as failed:
  • either if ANY authencation attempt has failed
  • or if ALL the authentication attempt have been canceled

Subtasks 2 (0 open2 closed)

Feature #6927: BasicAuthenticator user CANCELResolvedSchwarz Lionel04/18/2014

Actions
Feature #6928: Cas Authentication "Abort"RejectedSchwarz Lionel04/18/2014

Actions
Actions #1

Updated by Reynaud Sylvain over 10 years ago

  • Description updated (diff)
Actions #2

Updated by Reynaud Sylvain over 10 years ago

  • Description updated (diff)
Actions #3

Updated by Schwarz Lionel about 10 years ago

  • Tracker changed from Task to Bug

Reynaud Sylvain wrote:

PRE-REQUISITE: we must be able to distinguish abort from failure for each authentication mode.

Authentication attempt is considered as aborted if:
  • X509: usage of protocol HTTP instead of HTTPS

If HTTP is used, then the X509 will not be selected as authenticator in the chain, except if the chain is empty and it's the last authenticator supported. In this case, the user will be offered a HTTPS->HTTP automatic redirection

  • PASSWORD: users clics on the button "cancel"

Cancel does not send HTTP request.

  • IP: the list of authenticated IP does not contain user's IP

OK

  • CAS: to be defined...

To be defined

Authentication attempt is considered as failed if:
  • X509: CA is unknown

This is done at the SSL level, so in principle X509 will never fail

  • PASSWORD: unknown user or wrong password

OK

  • IP: NEVER FAILS !!!

OK

  • CAS: to be defined...

If the ticket is not valid, the CAS login module automatically redirect to the CAS server and thus triggers the generation of a new ticket that will be validated at next request.

Authentication is considered as failed:
  • either if ANY authencation attempt has failed
  • or if ALL the authentication attempt have been canceled
Actions #4

Updated by Schwarz Lionel about 10 years ago

  • Status changed from New to Resolved
Actions

Also available in: Atom PDF