Details

    • Technical Task
    • Status: Closed
    • Resolution: Completed
    • None
    • 7.0.0 M6
    • Security Vulnerability
    • None

    Description

      AutoLogin implementations don't have any configuration that would disable them.

      For example RequestHeaderAutoLogin doesn't check any password and authenticate anybody based on LIFERAY_SCREEN_NAME HTTP request header.

      Options to fix:
      1, @Component(enabled=false) << cannot be used because we have one class implementing both AutoLogin and AuthVerifier
      2, @Component(configurationPolicy = ConfigurationPolicy.REQUIRE) ... requires creating @Meta class for each autologin to enabled it
      3, introduce "isEnabled()" function that would work similary to #2

      Attachments

        Activity

          People

            brian.chan Brian Chan
            tomas.polesovsky Tomáš Polešovský
            Kiyoshi Lee Kiyoshi Lee
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:
              7 years, 43 weeks, 3 days ago

              Packages

                Version Package
                7.0.0 M6