New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New user should be optionaly auto created when using delegateAuthenticationRealm #49

Closed
niv0 opened this Issue Dec 2, 2016 · 0 comments

Comments

Projects
None yet
1 participant
@niv0

niv0 commented Dec 2, 2016

Yes, not a bug but a feature :-) However, if you want to create a PR to
make the behaviour configurable, will be very happy to review.

Cheers
Dan

On Thu, 1 Dec 2016 at 15:32 Vladimir Nišević vnisevic@gmail.com wrote:

Hi, I am using security module in combination with our Active Directory:

  1. Roles and delegate users (without passwords) are created in Isis
    security module
  2. Authentication is done thru company Active Directory

I think, I've found an issue in this setup: As part of login procedure, if
the user doesn't exist in Isis security, it will be automatically created
as new delegate user (with Status=Disabled). This leads to potentially many
users in security module, every time when somebody e.g. mistypes the
username.

Here my shiro.ini

[main]
isisModuleSecurityRealm =
org.isisaddons.module.security.shiro.IsisModuleSecurityRealm

*authenticationStrategy =

org.isisaddons.module.security.shiro.AuthenticationStrategyForIsisModuleSecurityRealm*
securityManager.authenticator.authenticationStrategy =
$authenticationStrategy

securityManager.realms = $isisModuleSecurityRealm
isisModuleSecurityRealm.delegateAuthenticationRealm=$activeDirectoryRealm
activeDirectoryRealm =
org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm

activeDirectoryRealm.searchBase =********
*activeDirectoryRealm.url = ******

I think the bug is in the class

org.isisaddons.module.security.shiro.IsisModuleSecurityRealm

line 48:

  • PrincipalForApplicationUser principal = this.lookupPrincipal(username,
    this.hasDelegateAuthenticationRealm());*

it should be:

  • PrincipalForApplicationUser principal = this.lookupPrincipal(username,
    false);*

Or was it on purpose to auto create new delegate user on every login
attempt?

Regards
Vladimir

niv0 pushed a commit to niv0/isis-module-security that referenced this issue Dec 2, 2016

niv0 pushed a commit to niv0/isis-module-security that referenced this issue Dec 2, 2016

@danhaywood danhaywood closed this in 0d6b591 Dec 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment