-
Type:
Technical Task
-
Status: Closed
-
Resolution: Completed
-
Affects Version/s: None
-
Fix Version/s: 7.0.0 M6
-
Component/s: Security Vulnerability
-
Labels:None
-
Git Pull Request:
AutoLogin implementations don't have any configuration that would disable them.
For example RequestHeaderAutoLogin doesn't check any password and authenticate anybody based on LIFERAY_SCREEN_NAME HTTP request header.
Options to fix:
1, @Component(enabled=false) << cannot be used because we have one class implementing both AutoLogin and AuthVerifier
2, @Component(configurationPolicy = ConfigurationPolicy.REQUIRE) ... requires creating @Meta class for each autologin to enabled it
3, introduce "isEnabled()" function that would work similary to #2