Hi Vladimir, OK, I've reviewed and applied both PRs, and just released 1.13.5 that includes both (should sync to maven central repo in an hour or so).
Thanks again Dan On Fri, 2 Dec 2016 at 17:36 Dan Haywood <[email protected]> wrote: > Thanks for doing that, Vladimir. I'll take a look at both those PRs, > hopefully over the weekend. > > Cheers > Dan > > On Fri, 2 Dec 2016 at 13:31 Vladimir Nišević <[email protected]> wrote: > > Hi Dan, here the adapted file > > https://github.com/niv0/isis-module-security/blob/5cd324a655347ff7a148326d46a5ec612bd0f22c/dom/src/main/java/org/isisaddons/module/security/shiro/IsisModuleSecurityRealm.java > > I've made also an PR, but somehow it was mixed up with some previous PR > which is still pending on github. > > > The behavior is configurable thru next property in shiro.ini > > isisModuleSecurityRealm.autoCreateUser=true > > > BR,Vladimir > > > > 2016-12-01 16:43 GMT+01:00 Vladimir Nišević <[email protected]>: > > > Hi, understand, ok, will give a try! > > > > Regs,Vladimir > > > > > > 2016-12-01 16:37 GMT+01:00 Dan Haywood <[email protected]>: > > > >> Yes, not a bug but a feature :-) However, if you want to create a PR to > >> make the behaviour configurable, will be very happy to review. > >> > >> Cheers > >> Dan > >> > >> On Thu, 1 Dec 2016 at 15:32 Vladimir Nišević <[email protected]> > wrote: > >> > >> > Hi, I am using security module in combination with our Active > Directory: > >> > > >> > 1. Roles and delegate users (without passwords) are created in Isis > >> > security module > >> > 2. Authentication is done thru company Active Directory > >> > > >> > > >> > I think, I've found an issue in this setup: As part of login > procedure, > >> if > >> > the user doesn't exist in Isis security, it will be automatically > >> created > >> > as new delegate user (with Status=Disabled). This leads to potentially > >> many > >> > users in security module, every time when somebody e.g. mistypes the > >> > username. > >> > > >> > > >> > Here my shiro.ini > >> > > >> > *[main]* > >> > *isisModuleSecurityRealm = > >> > org.isisaddons.module.security.shiro.IsisModuleSecurityRealm* > >> > *authenticationStrategy = > >> > > >> > org.isisaddons.module.security.shiro.AuthenticationStrategyF > >> orIsisModuleSecurityRealm* > >> > *securityManager.authenticator.authenticationStrategy = > >> > $authenticationStrategy* > >> > *securityManager.realms = $isisModuleSecurityRealm* > >> > *isisModuleSecurityRealm.delegateAuthenticationRealm=$active > >> DirectoryRealm* > >> > *activeDirectoryRealm = > >> > org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm* > >> > *activeDirectoryRealm.searchBase =********* > >> > *activeDirectoryRealm.url = ****** > >> > > >> > I think the bug is in the class > >> > > >> > org.isisaddons.module.security.shiro.IsisModuleSecurityRealm > >> > > >> > line 48: > >> > * PrincipalForApplicationUser principal = > >> this.lookupPrincipal(username, > >> > this.hasDelegateAuthenticationRealm());* > >> > > >> > it should be: > >> > * PrincipalForApplicationUser principal = > this.lookupPrincipal(username, > >> > false);* > >> > > >> > Or was it on purpose to auto create new delegate user on every login > >> > attempt? > >> > > >> > > >> > Regards > >> > Vladimir > >> > > >> > > > > > >
