[uportal-dev] RemoteUserSecurityContext patch merged into /trunk towards 2.6

[Andrew Petro]

This patch  is applied in /trunk. Folks, Faizan will be working up a SECURITY release for the 2.5 branch this week and Andrew is taking care of the 2.6 branch. Bill William G. Thompson, Jr. wrote: This is a public notification of an identified uPortal security vulnerability and workaround. All uPortal adopters are encouraged to review the following notice immediately and take appropriate action as necessary. --- *Title:* RemoteUserSecurityContext exploit *Summary:* RemoteUserSecurityContext may allow an authenticated user to authenticate as another user knowing only that user's account name. A patch for this vulnerability is attached to this message. *Issue:* The vulnerability is exposed when the RemoteUserSecurityContextFactory is used in conjunction with another security context factory under the UnionSecurityContextFactory. The result of this configuration is any user that can access uPortal with REMOTE_USER set can become any other portal user. If authentication is attempted with the other security context the provided user id will be set on the principal, when the RemoteUserSecurityContext executes it attempts to set the user id of the principal to the REMOTE_USER and returns that the principal is authenticated. Since the principal already has a user id set the setting by RemoteUserSecurityContext fails silently, resulting in an authenticated principal with the user id provided by the attacker, not the value specified in the REMOTE_USER field. An example vulnerable configuration from security.properties: root=org.jasig.portal.security.provider.UnionSecurityContextFactory root.a=org.jasig.portal.security.provider.RemoteUserSecurityContextFactory root.b=org.jasig.portal.security.provider.SimpleSecurityContextFactory *Versions Affected:* All (2.0, 2.1, 2.2, 2.3, 2.4, 2.5) *Resolution:* The resolution involves adding a check to RemoteUserSecurityContext to verify the setting of the REMOTE_USER user id was successful for the principal. If it was not the RemoteUserSecurityContext will not mark the principal as authenticated. *Patching:* The attached patch should be applied to the file /uPortal/source/org/jasig/portal/security/provider/RemoteUserSecurityContext.java After application of the patch compile and deploy the file to the application server. --- -- Join your friends and colleagues at JA-SIG with Altitude: June 24-27, 2007 in Denver, CO USA. Featuring keynotes by: Phil Windley, Matt Raible, Matt Asay Sessions on topics including: CAS, uPortal, Portlets, Sakai, Identity Management, and Open Source For more information & registration visit: http://www.ja-sig.org/conferences/07summer/index.html --- You are currently subscribed to uportal-dev@lists.ja-sig.org as: [EMAIL PROTECTED]. To unsubscribe send a blank email to [EMAIL PROTECTED] -- Join your friends and colleagues at JA-SIG with Altitude: June 24-27, 2007 in Denver, CO USA. Featuring keynotes by: Phil Windley, Matt Raible, Matt Asay Sessions on topics including: CAS, uPortal, Portlets, Sakai, Identity Management, and Open Source For more information & registration visit: http://www.ja-sig.org/conferences/07summer/index.html --- You are currently subscribed to uportal-dev@lists.ja-sig.org as: [EMAIL PROTECTED]. To unsubscribe send a blank email to [EMAIL PROTECTED] -- Join your friends and colleagues at JA-SIG with Altitude: June 24-27, 2007 in Denver, CO USA. Featuring keynotes by: Phil Windley, Matt Raible, Matt Asay Sessions on topics including: CAS, uPortal, Portlets, Sakai, Identity Management, and Open Source For more information & registration visit: http://www.ja-sig.org/conferences/07summer/index.html --- You are currently subscribed to uportal-dev@lists.ja-sig.org as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED]