Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-553

Make use of realm events to handle OTP timeout updates

    XMLWordPrintable

Details

    • Feature Request
    • Status: Resolved (View Workflow)
    • Major
    • Resolution: Rejected
    • None
    • None
    • SASL
    • None

    Description

      For the OTP SASL mechanism, we need to protect against race attacks, as described in RFC 2289. The approach OTPSaslServer currently takes to defend against such attacks is the one suggested in RFC 2289, i.e., we prevent multiple simultaneous authentication sessions for a user. This means that once a legitimate user has started the authentication process, an attacker would be blocked until that first authentication process finishes. With this approach, a timeout is needed in order to prevent a denial of service attack. We could store the timeout info for a user via a RealmIdentity attribute as in PR #277. We could then add support for a new event that indicates a timeout attribute change for a realm identity and then handle a TimeoutUpdateCallback by handling this new event.

      Attachments

        Issue Links

          Activity

            People

              fjuma1@redhat.com Farah Juma
              fjuma1@redhat.com Farah Juma
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: