Re: Issue in isis-module-security - in combination with delegateAuthenticationRealm

Thu, 01 Dec 2016 07:49:08 -0800 

Hi, understand, ok, will give a try!

Regs,Vladimir


2016-12-01 16:37 GMT+01:00 Dan Haywood <d...@haywood-associates.co.uk>:

> Yes, not a bug but a feature :-)  However, if you want to create a PR to
> make the behaviour configurable, will be very happy to review.
>
> Cheers
> Dan
>
> On Thu, 1 Dec 2016 at 15:32 Vladimir Nišević <vnise...@gmail.com> wrote:
>
> > Hi, I am using security module in combination with our Active Directory:
> >
> >    1. Roles and delegate users (without passwords) are created in Isis
> >    security module
> >    2. Authentication is done thru company Active Directory
> >
> >
> > I think, I've found an issue in this setup: As part of login procedure,
> if
> > the user doesn't exist in Isis security, it will be automatically created
> > as new delegate user (with Status=Disabled). This leads to potentially
> many
> > users in security module, every time when somebody e.g. mistypes the
> > username.
> >
> >
> > Here my shiro.ini
> >
> > *[main]*
> > *isisModuleSecurityRealm =
> > org.isisaddons.module.security.shiro.IsisModuleSecurityRealm*
> > *authenticationStrategy =
> >
> > org.isisaddons.module.security.shiro.AuthenticationStrategyForIsisM
> oduleSecurityRealm*
> > *securityManager.authenticator.authenticationStrategy =
> > $authenticationStrategy*
> > *securityManager.realms = $isisModuleSecurityRealm*
> > *isisModuleSecurityRealm.delegateAuthenticationRealm=$
> activeDirectoryRealm*
> > *activeDirectoryRealm =
> > org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm*
> > *activeDirectoryRealm.searchBase =*********
> > *activeDirectoryRealm.url = ******
> >
> > I think the bug is in the class
> >
> > org.isisaddons.module.security.shiro.IsisModuleSecurityRealm
> >
> > line 48:
> > *  PrincipalForApplicationUser principal = this.lookupPrincipal(username,
> > this.hasDelegateAuthenticationRealm());*
> >
> > it should be:
> > * PrincipalForApplicationUser principal = this.lookupPrincipal(username,
> > false);*
> >
> > Or was it on purpose to auto create new delegate user on every login
> > attempt?
> >
> >
> > Regards
> > Vladimir
> >
>

Reply via email to