Hum its letting me login with any password

[webmutation]

Hi,

The system is letting me login with my crowd username and any password... is anyone else experiencing this?

[martinspielmann]

Reproduced it. If you logged in before, your username is in the cache for 15m and password is no longer checked. Password should securely be hashed and added to the cached user, so a value we can validate against

[martinspielmann]

In 8e1acde i added sha256 hashed password to the cached auth token, so that we are able to check for it. Login is now working like expected, but I think this is a security risk and should be improved. For me there are basically two options:

• Improve token cache security. Refer https://www.owasp.org/index.php/Hashing_Java
• Remove token cache at all, Reach out on every authentication.

Personally I would prefer the first option. The second one provides a higher level of security but crowd calls slow down authentication speed a lot in comparison to in-memory password checks.

What do you think?

[webmutation]

I will update it! Thanks for the quick fix.

I prefer to retain the cache, in our case we are not running a public facing service and we have a highly hierarchical access structure, so we know who is doing what. If it was a public facing service then the second would be best. i think the first option will work for 80% of people.

[martinspielmann]

Alright sounds reasonable to me.
I think it's simple to add a new property to the crowd.properties file. I created a new issue to make caching a configurable feature, so everybody can decide what's the best solution for their environment #25

[martinspielmann]

OK the configurable cache was added and is already available in https://github.com/pingunaut/nexus3-crowd-plugin/releases/tag/nexus3-crowd-plugin-3.2.0 Please be aware: the cache feature is disabled by default and can be activated by adding cache.authentication=true to the crowd.properties file (refer to the README.md or details)