Hello, a power user warn me about a behavior he has on CASsified web application when he retrieves user login.
Our CAS server does LDAP authentication through the BindLdapAuthenticationHandler. If the user types his login in the login form with an asterisk at the end, the authentication is well done and the CASsified application retrieve this bad formed user’s login. What I understand is that the CAS service user queries the LDAP server with (uid=vincent.hurtevent*) filter, getting the user DN, but rather to use the uid it can get from the query, it reuses the login entered by the user as principal username and sends it to web app. Is this a misconfiguration thing or a code problem ? We use the 3.5.2 version. If I want to force CAS server to use the user uid it could get from LDAP queries, do I have to complete the resultAttributeMapping property in the attributeRepository bean with <entry key="username" value="uid" /> ? Is there a way by configuration to prevent LDAP injection or LDAP/MySQL injection in the client web application ? — Vincent Hurtevent -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
