Task #911 (closed)
Examine changing of password with one-time (session) password
| Reported by: | jamoore | Owned by: | jamoore |
|---|---|---|---|
| Priority: | major | Milestone: | OMERO-Beta4.2 |
| Component: | Security | Version: | 3.0-M1 |
| Keywords: | sessions | Cc: | |
| Resources: | n.a. | Referenced By: | n.a. |
| References: | n.a. | Remaining Time: | 0.0d |
| Sprint: | 2010-04-02 (6) |
Description
It's unclear if users with a temporary password (session-id) should be able to change a permanent password. Probably not.
Change History (7)
comment:1 Changed 15 years ago by jmoore
- Milestone changed from OMERO-Beta4 to OMERO-Beta4.1
comment:2 Changed 15 years ago by jmoore
- Milestone changed from OMERO-Beta4.1 to OMERO-Beta4.2
comment:3 Changed 14 years ago by jmoore
- Remaining Time set to 0.25
- Sprint set to 2010-04-02 (6)
comment:4 Changed 14 years ago by jmoore
- Status changed from new to assigned
comment:5 Changed 14 years ago by jmoore
- Remaining Time changed from 0.25 to 0
- Resolution set to fixed
- Status changed from assigned to closed
(In [6562]) fix #911 - Initially filtering on changePassword and createUserSession
This commit introduces a hasPassword flag which gets propagated
from the client-specific ServiceFactoryI down to the MethodSecurity
handler on each method call. Marking a method with:
@RolesAllowed('HasPassword')
will force the user to have logged in with proper credentials and not
a session id in order to minimize the effect of session hijacking.
comment:6 Changed 14 years ago by jmoore
comment:7 Changed 13 years ago by jmoore
Note: See
TracTickets for help on using
tickets.
You may also have a look at Agilo extensions to the ticket.
Looks like 4.1 is also becoming a security milestone.