Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-5153

Auth modules should call setAuthLevel after successful login

    XMLWordPrintable

    Details

    • AM Sustaining Sprint 35, AM Sustaining Sprint 36, AM Sustaining Sprint 37, AM Sustaining Sprint 38, AM Sustaining Sprint 39, AM Sustaining Sprint 40
    • 5

      Description

      OpenAM auth modules seems to call setAuthLevel() inconsistently.

      There are mainly 3 types of auth modules :
      (1) Module that sets authentication level when it is called.
      (2) Module that sets authentication level when the module succeed in authentication.
      (3) Module that does not seem to set authentication level.

      Example of (1) are DataStorage and Adaptive Risk.
      Example of (2) is Anonymous.
      Example of (3) is Device Print.

      Because of OPENAM-5152, LoginState miscalculate authlevel. That is, if you have auth chain like below :

      DataStore: Requisite (authlevel=2)
      Adaptive Auth : Sufficient (authlevel=6)
      DevicePrint : Sufficient (authlevel=4)

      Adaptive Auth will call setAuthLevel() during init() so LoginState will hold moduleAuthLevel=6 even when it fails. Then if successful module list was

      {DataStore, DevicePrint}

      , it will only hold authlevel=2 because of OPENAM-5152 and authLevel will be smaller than moduleAuthLevel so auth process will miscalculate auth level.

      Each auth module should have consistent way of calling setAuthLevel() so to prevent miscalculation of auth level

        Attachments

          Issue Links

            Activity

              People

              sachiko Sachiko Wallace
              sachiko Sachiko Wallace
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: