Security Module Vulnerability: Non-existing User gets created in DB even though not authenticated via LDAP

[andi-huber]

When using the Security Module with delegated authentication to LDAP, any login attempt of an user yet not existent within the DB, authenticated or not will create an (disabled) user-account in the DB.

While not a security risk, this allows attackers to 'fill' the database with arbitrary garbage.

Desired behavior for this scenario is to auto-create user accounts in the DB only if these do successfully authenticate with the delegated authentication mechanism.

I've fixed this in the Apache Isis 'v2' branch. See [1]

[1] https://issues.apache.org/jira/browse/ISIS-2157

[andi-huber]

Fix applies only to a single class: IsisModuleSecurityRealm

https://github.com/apache/isis/blob/v2/extensions/secman/realm-shiro/src/main/java/org/apache/isis/extensions/secman/shiro/IsisModuleSecurityRealm.java

This version in the 'v2' has slightly progressed and deviated from the Incode version.

[danhaywood]

This was kind-of by design, but in Estatio we ended up disabling it too, I think. Happy with the fix, thanks.

…

On Fri, 2 Aug 2019 at 10:08, Andi Huber ***@***.***> wrote: Fix only applies to a single class: IsisModuleSecurityRealm — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#113?email_source=notifications&email_token=AAH33SLGUP62E6HIPSC6HX3QCP2R7A5CNFSM4II32QU2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD3NFJFQ#issuecomment-517624982>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAH33SPNVV6FSHIK3XC3J4TQCP2R7ANCNFSM4II32QUQ> .

[johandoornenbal]

We did indeed. Grtz Johan Op vr 2 aug. 2019 om 11:30 schreef Dan Haywood <notifications@github.com>:

…

This was kind-of by design, but in Estatio we ended up disabling it too, I think. Happy with the fix, thanks. On Fri, 2 Aug 2019 at 10:08, Andi Huber ***@***.***> wrote: > Fix only applies to a single class: IsisModuleSecurityRealm > > — > You are receiving this because you are subscribed to this thread. > Reply to this email directly, view it on GitHub > < #113?email_source=notifications&email_token=AAH33SLGUP62E6HIPSC6HX3QCP2R7A5CNFSM4II32QU2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD3NFJFQ#issuecomment-517624982 >, > or mute the thread > < https://github.com/notifications/unsubscribe-auth/AAH33SPNVV6FSHIK3XC3J4TQCP2R7ANCNFSM4II32QUQ > > . > — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#113?email_source=notifications&email_token=AB6NCFL4QWCCHS2MJCJZZT3QCP5DHA5CNFSM4II32QU2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD3NHEDY#issuecomment-517632527>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AB6NCFMGVCE43MIV5QZFST3QCP5DHANCNFSM4II32QUQ> .

[andi-huber]

(basically, the fix is to do a delegated authentication attempt before auto-creating any user accounts)