This is an automated email from the ASF dual-hosted git repository. duncangrant pushed a commit to branch fix-noldapgroups in repository https://gitbox.apache.org/repos/asf/brooklyn-server.git
commit 10bff6072cd80b3876153ce79854fbfd47446cb9 Author: Duncan Grant <[email protected]> AuthorDate: Wed Jul 21 16:10:56 2021 +0100 Fix partial login If ldap user is a member of no groups then they will fail to login but will have a user associated with the session that cannot easily be logged out or login as another user. Fixed by not allowing authentication of a user in no groups. --- .../brooklyn/rest/security/provider/LdapSecurityProvider.java | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/security/provider/LdapSecurityProvider.java b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/security/provider/LdapSecurityProvider.java index 49cc4e4..4360623 100644 --- a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/security/provider/LdapSecurityProvider.java +++ b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/security/provider/LdapSecurityProvider.java @@ -109,8 +109,12 @@ public class LdapSecurityProvider extends AbstractSecurityProvider implements Se DirContext ctx = new InitialDirContext(env);// will throw if password is invalid if (fetchUserGroups) { - // adds user groups ot eh session - sessionSupplierOnSuccess.get().setAttribute(USER_GROUPS, getUserGroups(user, ctx)); + List<String> userGroups = getUserGroups(user, ctx); + if (userGroups.isEmpty()) { + return false; + } + // adds user groups to the session + sessionSupplierOnSuccess.get().setAttribute(USER_GROUPS, userGroups); } return allow(sessionSupplierOnSuccess.get(), user); } catch (NamingException e) {
