Project

General

Profile

Actions
Copy link

Bug #73673

closed

Service chaining impossible with SaltedPasswordService

Added by Robert Schulze about 8 years ago. Updated almost 5 years ago.

Status:
Closed
Priority:
Must have
Assignee:
-
Category:
Authentication
Target version:
-
Start date:
2016-02-25
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
7
PHP Version:
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

It is impossible to have the following scenario with chained authentication services:

  • there are two services:
    • SaltedPasswordService (priority: 70, subtypes: authUser*,..)
    • AnotherCustomAuthenticationService (priority: 55, subtypes: authUser*,...)
  • there is a user xy
    • the user will not be authenticated by the SaltedPasswordService
    • the user will successfully authenticated by the AnotherCustomAuthenticationService

The authUser method from the SaltedPasswordService will return 0 because it was not able to authenticate the user. Instead it should return 100 and leave it up to the next chained authentication service registered for the same subtype authUser*.

Files

custom_auth_1.0.0_201603061358.zip (4.05 KB) custom_auth_1.0.0_201603061358.zip Jonas Götze, 2016-03-06 14:06

Related issues 1 (0 open1 closed)

Related to TYPO3 Core - Bug #22030: Authentication Bypass in frontend user authentication (sysext:saltedpasswords)ClosedMarcus Krause2010-01-30

Actions
Actions
Copy link
 #1

Updated by Gerrit Code Review about 8 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/46894

Actions
Copy link
 #2

Updated by Jonas Götze about 8 years ago

Here is a very little Extension that adds authentication service to test this.

With the patch applied it will just login any entered felogin-data with fe_user of uid 1.
Without the patch login will only be successful if the entered data is correct as only the regular SaltedPasswordService logic comes into play.

Actions
Copy link
 #3

Updated by Nicole Cordes about 8 years ago

  • Status changed from Under Review to New

The saltedpassword service has to be the last one for security reasons if the user uses a salted password. This issue can't be solved by changing that chain.

We can lower the priority of the saltedpassword service to make it easier the overrule it. This is for master only and needs a breaking.rst file.

Actions
Copy link
 #4

Updated by Benni Mack about 5 years ago

  • Status changed from New to Needs Feedback

Hi Robert,

can you recheck the issue with TYPO3 v9, we've improved the situation and tried to reduce complexity now by migrated SaltedPasswordService into the general AuthenticationService.

Thanks.
Benni.

Actions
Copy link
 #5

Updated by Riccardo De Contardi almost 5 years ago

  • Status changed from Needs Feedback to Closed

No feedback since the last 90 days => closing this issue.

If you think that this is the wrong decision or experience the issue again and have more information about how to reproduce your problem, please reopen it or open a new issue with a reference to this one.

Thank you and best regards

Actions
Copy link

Also available in: Atom PDF