Bug #6721
closed
Feature #6711: refactoring of lavoisier security
support chaining authentication attempts
100%
Description
PRE-REQUISITE: we must be able to distinguish abort from failure for each authentication mode.
Authentication attempt is considered as aborted if:- X509: usage of protocol HTTP instead of HTTPS
- PASSWORD: users clics on the button "cancel"
- IP: the list of authenticated IP does not contain user's IP
- CAS: to be defined...
- X509: CA is unknown
- PASSWORD: unknown user or wrong password
- IP: NEVER FAILS !!!
- CAS: to be defined...
- either if ANY authencation attempt has failed
- or if ALL the authentication attempt have been canceled
Updated by
Updated by Schwarz Lionel over 10 years ago
- Tracker changed from Task to Bug
Reynaud Sylvain wrote:
PRE-REQUISITE: we must be able to distinguish abort from failure for each authentication mode.
Authentication attempt is considered as aborted if:
- X509: usage of protocol HTTP instead of HTTPS
If HTTP is used, then the X509 will not be selected as authenticator in the chain, except if the chain is empty and it's the last authenticator supported. In this case, the user will be offered a HTTPS->HTTP automatic redirection
- PASSWORD: users clics on the button "cancel"
Cancel does not send HTTP request.
- IP: the list of authenticated IP does not contain user's IP
OK
- CAS: to be defined...
To be defined
Authentication attempt is considered as failed if:
- X509: CA is unknown
This is done at the SSL level, so in principle X509 will never fail
- PASSWORD: unknown user or wrong password
OK
- IP: NEVER FAILS !!!
OK
- CAS: to be defined...
If the ticket is not valid, the CAS login module automatically redirect to the CAS server and thus triggers the generation of a new ticket that will be validated at next request.
Authentication is considered as failed:
- either if ANY authencation attempt has failed
- or if ALL the authentication attempt have been canceled