Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-979

No need to re-verify credential once authenticated.

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • Major
    • None
    • 1.3.21.Final
    • Security
    • None
    • Hide

      1. add the following lines into standalone.xml

                      <security-domain name="test" cache-type="default">
                    <authentication>
                        <login-module code="Simple" flag="required"/>
                    </authentication>
                </security-domain>

      2. start EAP7 and deploy the attached test.war

      3. access http://localhost:8080/test and log in as guest/guest

      4. access http://localhost:8080/test again. then you will see org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid() is invoked

      Show
      1. add the following lines into standalone.xml <security-domain name= "test" cache-type= " default " > <authentication> <login-module code= "Simple" flag= "required" /> </authentication> </security-domain> 2. start EAP7 and deploy the attached test.war 3. access http://localhost:8080/test and log in as guest/guest 4. access http://localhost:8080/test again. then you will see org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid() is invoked

    Description

      Once a user is authenticated, io.undertow.security.impl.CachedAuthenticatedSessionMechanism.sessionManager stores its session. When accessing another secured web resources, io.undertow.security.impl.CachedAuthenticatedSessionMechanism.runCached() verifies a credential cached in sessionManager. It is unnecessry.

      In EAP6, a creadential is not re-verified. EAP7 should do likewise.

      Attachments

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-8644 No need to re-verify credential once authenticated.

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              Unassigned Unassigned
              rhn-support-hokuda Hisanobu Okuda
              Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated: