Joomla! Issue Tracker | Joomla! CMS #8018 - Canceling of authentication

Closed
4 Nov 2016
Medium
Build: staging
# 8018
Diff
colivier:patch-8

Success

Success continuous-integration/travis-ci/pr The Travis CI build passed Details

User tests: Successful: Unsuccessful:

colivier
5 Oct 2015

For a security issue, if an authentication plugin detects an anomaly (ex : a lot of tests of authentication in a short time, a suspect IP or a blacklisted IP...), this plugin should have a mean to cancel the current authentication.

Today, the only way to cancel the authentication process is to disable authentication plugin of Joomla and rewrite another on the same model.

The status "cancel" is unused and perhaps it would be a good use.

4e9b0bc 5 Oct 2015

Canceling of authentication

colivier - open - 5 Oct 2015

colivier - change - 5 Oct 2015

Status

New

⇒

Pending

joomla-cms-bot - change - 5 Oct 2015

Labels

Added: ?

4d432b2 5 Oct 2015

Update authentication.php

5bf9062 5 Oct 2015

Let Travis be a happy guy :)

zero-24 - comment - 5 Oct 2015

@colivier see: colivier#1 this should fix also the seccond Travis problem ;)

3915f49 5 Oct 2015

Merge pull request #1 from zero-24/patch-10

zero-24 - change - 5 Oct 2015

Category

⇒

Authentication Libraries Plugins

dam-man - comment - 10 Oct 2015

Please add test instructions, otherwise it is not easy to test and to know what the results should be.

_{This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/8018.}

colivier - comment - 12 Oct 2015

I'm sorry but there are no instructions for testing.

The only way to test is to create an authentication plugin and note that this plugin does not have the means to stop the authentication process. Today the only way to break out the loop is when an authentication plugin has identified an user but there is no way to break out the loop if a plugin identifies a problem (ex : a lot of tests of authentication in a short time, a suspect IP or a blacklisted IP...). If a plugin finds a problem, the loop continue and cannot be stop.

wilsonge - comment - 31 Jul 2016

Hey,
I've been having a look over this as my company are in the process of building an authentication plugin at the moment. I think this is fine BUT you need to add the cancelled status to the list of denied states https://github.com/joomla/joomla-cms/blob/3.6.1-rc2/libraries/cms/application/cms.php#L823 and
https://github.com/joomla/joomla-cms/blob/3.6.1-rc2/libraries/legacy/application/application.php#L635

colivier - comment - 1 Aug 2016

If an authentication plugin returns otherwise than STATUS_SUCCESS, the test at the line 627 of application.php fails and the login function is stopped.

euismod2336 - comment - 4 Nov 2016

@colivier This cannot be merged at this point because the file and code was moved (now /libraries/joomla/authentication/authentication.php line 287).

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/8018.}

colivier - comment - 4 Nov 2016

@euismod2336 thank you for the information, so I close the PR

colivier - change - 4 Nov 2016

Status	Pending	⇒	Closed
Closed_Date	0000-00-00 00:00:00	⇒	2016-11-04 13:35:51
Closed_By		⇒	colivier

colivier - close - 4 Nov 2016

joomla-cms-bot - change - 4 Nov 2016

Add a Comment

Older
Newer

Joomla! Issue Tracker - CMS

[#8018] - Canceling of authentication

Add a Comment