You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Alex Sviridov <oo...@mail.ru> on 2020/05/15 18:08:11 UTC
Shiro backdoor
Hi all,
I have a a system, that can be accessed by web interface (http servlet) and
by CLI.
In my application I have a superuser with loginname and password. When
someone wants to use system by web as a superuser he must
provide superuser loginname and password. This case Shiro web filter is
used and everything is ok →I have subject.login(...), subject.logout() etc.
So, everything is clear here.
However, when someone uses application by CLI he needs towork as superuser
without providing loginname and password (by CLI it is possible to reset superuser
loginname and password). So, I need to log superuser in without loginname and
password. Could anyone say how it can be done in Shiro? I mean I have a User
object and I need to authenticate it in shiro without loginname and password.
Best regards, Alex
Re: Shiro backdoor
Posted by Benjamin Marwell <bm...@gmail.com>.
Yes exactly. You should replace "no authentication" with "hidden
authentication".
For example:
You can use a second realm for this which knows the public part of the
certificate. The client could be configured to automatically pass the
corresponding private certificate.
Am Fr., 15. Mai 2020 um 20:34 Uhr schrieb Lenny Primak <lp...@hope.nyc.ny.us>:
>
> That’s really dangerous.
> I would suggest something like client certificate authentication in web browsers to do this job
>
> > On May 15, 2020, at 1:08 PM, Alex Sviridov <oo...@mail.ru> wrote:
> >
> > Hi all,
> >
> > I have a a system, that can be accessed by web interface (http servlet) and
> > by CLI.
> >
> > In my application I have a superuser with loginname and password. When
> > someone wants to use system by web as a superuser he must
> > provide superuser loginname and password. This case Shiro web filter is
> > used and everything is ok →I have subject.login(...), subject.logout() etc.
> > So, everything is clear here.
> >
> > However, when someone uses application by CLI he needs towork as superuser
> > without providing loginname and password (by CLI it is possible to reset superuser
> > loginname and password). So, I need to log superuser in without loginname and
> > password. Could anyone say how it can be done in Shiro? I mean I have a User
> > object and I need to authenticate it in shiro without loginname and password.
> >
> > Best regards, Alex
> >
>
Re: Shiro backdoor
Posted by Lenny Primak <lp...@hope.nyc.ny.us>.
That’s really dangerous.
I would suggest something like client certificate authentication in web browsers to do this job
> On May 15, 2020, at 1:08 PM, Alex Sviridov <oo...@mail.ru> wrote:
>
> Hi all,
>
> I have a a system, that can be accessed by web interface (http servlet) and
> by CLI.
>
> In my application I have a superuser with loginname and password. When
> someone wants to use system by web as a superuser he must
> provide superuser loginname and password. This case Shiro web filter is
> used and everything is ok →I have subject.login(...), subject.logout() etc.
> So, everything is clear here.
>
> However, when someone uses application by CLI he needs towork as superuser
> without providing loginname and password (by CLI it is possible to reset superuser
> loginname and password). So, I need to log superuser in without loginname and
> password. Could anyone say how it can be done in Shiro? I mean I have a User
> object and I need to authenticate it in shiro without loginname and password.
>
> Best regards, Alex
>