mway08 / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
Other
0 stars 0 forks source link

FileBasedAuthenticator should ensure user does not have password set equal to their username #108

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
It appears that no method within
org.owasp.esapi.reference.FileBasedAuthenticator class ensures that when a
user is created or updated, that their password is not the same as their
username.

For example, if a username is created MarcinIsNumber1!, the user can still
set their password to the same value as it would still pass the
verifyPasswordStrength check.

Solution:  Add a check to validate user's password is not equal to their
username.

Original issue reported on code.google.com by marcin.w...@gmail.com on 10 Feb 2010 at 3:09

GoogleCodeExporter commented 9 years ago

Original comment by manico.james@gmail.com on 2 Nov 2010 at 7:38

GoogleCodeExporter commented 9 years ago

Original comment by manico.james@gmail.com on 2 Nov 2010 at 7:59

GoogleCodeExporter commented 9 years ago
Made update to add another small private method called from wherever 
verifyPasswordStrength is called that validates the password != account name.  
Made a separate method to not break the existing public verifyPasswordStrength 
api, especially since the api is intended to change soon to be based on 
credential, not just username/password.  Also added test to AuthenticatorTest 
to verify change worked, and reran all tests - all passed.

Original comment by jtmel...@gmail.com on 4 Nov 2010 at 3:29

GoogleCodeExporter commented 9 years ago
Based on recommendation of team, went back, removed method mentioned above, and 
changed verifyPasswordStrength method signature to add a User object as an arg. 

See http://code.google.com/p/owasp-esapi-java/source/detail?r=1656

Original comment by jtmel...@gmail.com on 17 Nov 2010 at 4:28