You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@syncope.apache.org by "Mani, Vellingiri (Nokia - IN)" <ve...@nokia.com> on 2016/10/22 14:59:41 UTC
Differentiating unknown user and known user with wrong password ?
Hi,
Same response code(401) from Syncope during self-authentication [1] for both unknown user and known user with wrong password.
[1] http://10.10.10.10:8080/syncope/rest/users/self
How can we distinguish between the unknown user and the known user with wrong password ?
Regards,
Vellingiri
Re: Differentiating unknown user and known user with wrong password ?
Posted by Francesco Chicchiriccò <fr...@tirasa.net>.
On 24/10/2016 16:52, Mani, Vellingiri (Nokia - IN) wrote:
>
> Hi Francesco,
>
> I understand. For suspended user, the response is 401. Is it for the
> same reason ?
>
Not quite: this is because of the authentication.statuses configuration
parameter
https://syncope.apache.org/docs/reference-guide.html#configuration-parameters
which does not contain 'suspended' by default; when you add it to the
list of supported statues for authentication, suspended users will be
able to authenticate themselves.
HTH
Regards.
> *From:*Francesco Chicchiriccò [mailto:ilgrosso@apache.org]
>
> *Sent:* Monday, October 24, 2016 12:44 PM
> *To:* user@syncope.apache.org
> *Subject:* Re: Differentiating unknown user and known user with wrong
> password ?
>
> On 22/10/2016 16:59, Mani, Vellingiri (Nokia - IN) wrote:
>
> Hi,
>
> Same response code(401) from Syncope during self-authentication
> [1] for both unknown user and known user with wrong password.
>
> [1] http://10.10.10.10:8080/syncope/rest/users/self
> <http://10.10.10.10:8080/syncope/rest/users/self>
>
> How can we distinguish between the unknown user and the known user
> with wrong password ?
>
>
> This is on purpose: if there were different HTTP statuses, an attacker
> could exploit it to enumerate the existing users.
>
> Having said that, and even if I would not advice it, there is the
> chance to override such behaviour - in Syncope there is always a mean
> to override ;-) - by tweaking the Spring Security configuration: see
> some recent e-mail about this topic for more details.
>
> Regards.
>
--
Francesco Chicchiriccò
Tel +393290573276
Amministratore unico @ Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
"To Iterate is Human, to Recurse, Divine"
(James O. Coplien, Bell Labs)
Re: Differentiating unknown user and known user with wrong password ?
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 25/10/2016 09:18, Mani, Vellingiri (Nokia - IN) wrote:
>
> Hi Francesco,
>
> I added *suspended* to authentication.statuses parameter but still the
> response is “*401 Unauthorized*”.
>
Sorry, my bad: I did not check the actual code, e.g.
https://github.com/apache/syncope/blob/syncope-2.0.1/core/spring/src/main/java/org/apache/syncope/core/spring/security/AuthDataAccessor.java#L138-L145
which first forbids accessing when suspended then checks for
authentication.statuses.
I have also added a warning about this to the SNAPSHOT docs:
https://ci.apache.org/projects/syncope/reference-guide.html#configuration-parameters
Hope this clarifies.
Regards.
> *From:*Francesco Chicchiriccò [mailto:ilgrosso@apache.org]
> *Sent:* Monday, October 24, 2016 8:30 PM
> *To:* user@syncope.apache.org
> *Subject:* Re: Differentiating unknown user and known user with wrong
> password ?
>
> On 24/10/2016 16:52, Mani, Vellingiri (Nokia - IN) wrote:
>
> Hi Francesco,
>
> I understand. For suspended user, the response is 401. Is it for
> the same reason ?
>
>
> Not quite: this is because of the authentication.statuses
> configuration parameter
>
> https://syncope.apache.org/docs/reference-guide.html#configuration-parameters
>
> which does not contain 'suspended' by default; when you add it to the
> list of supported statues for authentication, suspended users will be
> able to authenticate themselves.
>
> HTH
> Regards.
>
>
> *From:*Francesco Chicchiriccò [mailto:ilgrosso@apache.org]
>
> *Sent:*Monday, October 24, 2016 12:44 PM
> *To:* user@syncope.apache.org <ma...@syncope.apache.org>
> *Subject:* Re: Differentiating unknown user and known user with
> wrong password ?
>
> On 22/10/2016 16:59, Mani, Vellingiri (Nokia - IN) wrote:
>
> Hi,
>
> Same response code(401) from Syncope during
> self-authentication [1] for both unknown user and known user
> with wrong password.
>
> [1] http://10.10.10.10:8080/syncope/rest/users/self
> <http://10.10.10.10:8080/syncope/rest/users/self>
>
> How can we distinguish between the unknown user and the known
> user with wrong password ?
>
>
> This is on purpose: if there were different HTTP statuses, an
> attacker could exploit it to enumerate the existing users.
>
> Having said that, and even if I would not advice it, there is the
> chance to override such behaviour - in Syncope there is always a
> mean to override ;-) - by tweaking the Spring Security
> configuration: see some recent e-mail about this topic for more
> details.
>
> Regards.
>
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
RE: Differentiating unknown user and known user with wrong password
?
Posted by "Mani, Vellingiri (Nokia - IN)" <ve...@nokia.com>.
Hi Francesco,
I added suspended to authentication.statuses parameter but still the response is “401 Unauthorized”.
[cid:image001.jpg@01D22EBE.23CFCA90]
Regards,
Vellingiri
From: Francesco Chicchiriccò [mailto:ilgrosso@apache.org]
Sent: Monday, October 24, 2016 8:30 PM
To: user@syncope.apache.org
Subject: Re: Differentiating unknown user and known user with wrong password ?
On 24/10/2016 16:52, Mani, Vellingiri (Nokia - IN) wrote:
Hi Francesco,
I understand. For suspended user, the response is 401. Is it for the same reason ?
Not quite: this is because of the authentication.statuses configuration parameter
https://syncope.apache.org/docs/reference-guide.html#configuration-parameters
which does not contain 'suspended' by default; when you add it to the list of supported statues for authentication, suspended users will be able to authenticate themselves.
HTH
Regards.
From: Francesco Chicchiriccò [mailto:ilgrosso@apache.org]
Sent: Monday, October 24, 2016 12:44 PM
To: user@syncope.apache.org<ma...@syncope.apache.org>
Subject: Re: Differentiating unknown user and known user with wrong password ?
On 22/10/2016 16:59, Mani, Vellingiri (Nokia - IN) wrote:
Hi,
Same response code(401) from Syncope during self-authentication [1] for both unknown user and known user with wrong password.
[1] http://10.10.10.10:8080/syncope/rest/users/self
How can we distinguish between the unknown user and the known user with wrong password ?
This is on purpose: if there were different HTTP statuses, an attacker could exploit it to enumerate the existing users.
Having said that, and even if I would not advice it, there is the chance to override such behaviour - in Syncope there is always a mean to override ;-) - by tweaking the Spring Security configuration: see some recent e-mail about this topic for more details.
Regards.
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
Re: Differentiating unknown user and known user with wrong password ?
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 24/10/2016 16:52, Mani, Vellingiri (Nokia - IN) wrote:
>
> Hi Francesco,
>
> I understand. For suspended user, the response is 401. Is it for the
> same reason ?
>
Not quite: this is because of the authentication.statuses configuration
parameter
https://syncope.apache.org/docs/reference-guide.html#configuration-parameters
which does not contain 'suspended' by default; when you add it to the
list of supported statues for authentication, suspended users will be
able to authenticate themselves.
HTH
Regards.
> *From:*Francesco Chicchiricc� [mailto:ilgrosso@apache.org]
>
> *Sent:* Monday, October 24, 2016 12:44 PM
> *To:* user@syncope.apache.org
> *Subject:* Re: Differentiating unknown user and known user with wrong
> password ?
>
> On 22/10/2016 16:59, Mani, Vellingiri (Nokia - IN) wrote:
>
> Hi,
>
> Same response code(401) from Syncope during self-authentication
> [1] for both unknown user and known user with wrong password.
>
> [1] http://10.10.10.10:8080/syncope/rest/users/self
> <http://10.10.10.10:8080/syncope/rest/users/self>
>
> How can we distinguish between the unknown user and the known user
> with wrong password ?
>
>
> This is on purpose: if there were different HTTP statuses, an attacker
> could exploit it to enumerate the existing users.
>
> Having said that, and even if I would not advice it, there is the
> chance to override such behaviour - in Syncope there is always a mean
> to override ;-) - by tweaking the Spring Security configuration: see
> some recent e-mail about this topic for more details.
>
> Regards.
>
--
Francesco Chicchiricc�
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
RE: Differentiating unknown user and known user with wrong password
?
Posted by "Mani, Vellingiri (Nokia - IN)" <ve...@nokia.com>.
Hi Francesco,
I understand. For suspended user, the response is 401. Is it for the same reason ?
Regards,
Vellingiri
From: Francesco Chicchiriccò [mailto:ilgrosso@apache.org]
Sent: Monday, October 24, 2016 12:44 PM
To: user@syncope.apache.org
Subject: Re: Differentiating unknown user and known user with wrong password ?
On 22/10/2016 16:59, Mani, Vellingiri (Nokia - IN) wrote:
Hi,
Same response code(401) from Syncope during self-authentication [1] for both unknown user and known user with wrong password.
[1] http://10.10.10.10:8080/syncope/rest/users/self
How can we distinguish between the unknown user and the known user with wrong password ?
This is on purpose: if there were different HTTP statues, an attacker could exploit it to enumerate the existing users.
Having said that, and even if I would not advice it, there is the chance to override such behaviour - in Syncope there is always a mean to override ;-) - by tweaking the Spring Security configuration: see some recent e-mail about this topic for more details.
Regards.
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
Re: Differentiating unknown user and known user with wrong password ?
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 22/10/2016 16:59, Mani, Vellingiri (Nokia - IN) wrote:
>
> Hi,
>
> Same response code(401) from Syncope during self-authentication [1]
> for both unknown user and known user with wrong password.
>
> [1] http://10.10.10.10:8080/syncope/rest/users/self
> <http://10.10.10.10:8080/syncope/rest/users/self>
>
> How can we distinguish between the unknown user and the known user
> with wrong password ?
>
This is on purpose: if there were different HTTP statues, an attacker
could exploit it to enumerate the existing users.
Having said that, and even if I would not advice it, there is the chance
to override such behaviour - in Syncope there is always a mean to
override ;-) - by tweaking the Spring Security configuration: see some
recent e-mail about this topic for more details.
Regards.
--
Francesco Chicchiricc�
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/