Project

General

Profile

Actions

Bug #73673

closed

Service chaining impossible with SaltedPasswordService

Added by Robert Schulze over 8 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Must have
Assignee:
-
Category:
Authentication
Target version:
-
Start date:
2016-02-25
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
7
PHP Version:
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

It is impossible to have the following scenario with chained authentication services:

  • there are two services:
    • SaltedPasswordService (priority: 70, subtypes: authUser*,..)
    • AnotherCustomAuthenticationService (priority: 55, subtypes: authUser*,...)
  • there is a user xy
    • the user will not be authenticated by the SaltedPasswordService
    • the user will successfully authenticated by the AnotherCustomAuthenticationService

The authUser method from the SaltedPasswordService will return 0 because it was not able to authenticate the user. Instead it should return 100 and leave it up to the next chained authentication service registered for the same subtype authUser*.


Files


Related issues 1 (0 open1 closed)

Related to TYPO3 Core - Bug #22030: Authentication Bypass in frontend user authentication (sysext:saltedpasswords)ClosedMarcus Krause2010-01-30

Actions
Actions #1

Updated by Gerrit Code Review over 8 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/46894

Actions #2

Updated by Jonas Götze over 8 years ago

Here is a very little Extension that adds authentication service to test this.

With the patch applied it will just login any entered felogin-data with fe_user of uid 1.
Without the patch login will only be successful if the entered data is correct as only the regular SaltedPasswordService logic comes into play.

Actions #3

Updated by Nicole Cordes over 8 years ago

  • Status changed from Under Review to New

The saltedpassword service has to be the last one for security reasons if the user uses a salted password. This issue can't be solved by changing that chain.

We can lower the priority of the saltedpassword service to make it easier the overrule it. This is for master only and needs a breaking.rst file.

Actions #4

Updated by Benni Mack over 5 years ago

  • Status changed from New to Needs Feedback

Hi Robert,

can you recheck the issue with TYPO3 v9, we've improved the situation and tried to reduce complexity now by migrated SaltedPasswordService into the general AuthenticationService.

Thanks.
Benni.

Actions #5

Updated by Riccardo De Contardi over 5 years ago

  • Status changed from Needs Feedback to Closed

No feedback since the last 90 days => closing this issue.

If you think that this is the wrong decision or experience the issue again and have more information about how to reproduce your problem, please reopen it or open a new issue with a reference to this one.

Thank you and best regards

Actions

Also available in: Atom PDF