Yes, not a bug but a feature :-) However, if you want to create a PR to make the behaviour configurable, will be very happy to review.
Cheers Dan On Thu, 1 Dec 2016 at 15:32 Vladimir Nišević <[email protected]> wrote: > Hi, I am using security module in combination with our Active Directory: > > 1. Roles and delegate users (without passwords) are created in Isis > security module > 2. Authentication is done thru company Active Directory > > > I think, I've found an issue in this setup: As part of login procedure, if > the user doesn't exist in Isis security, it will be automatically created > as new delegate user (with Status=Disabled). This leads to potentially many > users in security module, every time when somebody e.g. mistypes the > username. > > > Here my shiro.ini > > *[main]* > *isisModuleSecurityRealm = > org.isisaddons.module.security.shiro.IsisModuleSecurityRealm* > *authenticationStrategy = > > org.isisaddons.module.security.shiro.AuthenticationStrategyForIsisModuleSecurityRealm* > *securityManager.authenticator.authenticationStrategy = > $authenticationStrategy* > *securityManager.realms = $isisModuleSecurityRealm* > *isisModuleSecurityRealm.delegateAuthenticationRealm=$activeDirectoryRealm* > *activeDirectoryRealm = > org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm* > *activeDirectoryRealm.searchBase =********* > *activeDirectoryRealm.url = ****** > > I think the bug is in the class > > org.isisaddons.module.security.shiro.IsisModuleSecurityRealm > > line 48: > * PrincipalForApplicationUser principal = this.lookupPrincipal(username, > this.hasDelegateAuthenticationRealm());* > > it should be: > * PrincipalForApplicationUser principal = this.lookupPrincipal(username, > false);* > > Or was it on purpose to auto create new delegate user on every login > attempt? > > > Regards > Vladimir >
