You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@isis.apache.org by Vladimir Nišević <vn...@gmail.com> on 2016/12/01 15:32:15 UTC
Issue in isis-module-security - in combination with delegateAuthenticationRealm
Hi, I am using security module in combination with our Active Directory:
1. Roles and delegate users (without passwords) are created in Isis
security module
2. Authentication is done thru company Active Directory
I think, I've found an issue in this setup: As part of login procedure, if
the user doesn't exist in Isis security, it will be automatically created
as new delegate user (with Status=Disabled). This leads to potentially many
users in security module, every time when somebody e.g. mistypes the
username.
Here my shiro.ini
*[main]*
*isisModuleSecurityRealm =
org.isisaddons.module.security.shiro.IsisModuleSecurityRealm*
*authenticationStrategy =
org.isisaddons.module.security.shiro.AuthenticationStrategyForIsisModuleSecurityRealm*
*securityManager.authenticator.authenticationStrategy =
$authenticationStrategy*
*securityManager.realms = $isisModuleSecurityRealm*
*isisModuleSecurityRealm.delegateAuthenticationRealm=$activeDirectoryRealm*
*activeDirectoryRealm =
org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm*
*activeDirectoryRealm.searchBase =*********
*activeDirectoryRealm.url = ******
I think the bug is in the class
org.isisaddons.module.security.shiro.IsisModuleSecurityRealm
line 48:
* PrincipalForApplicationUser principal = this.lookupPrincipal(username,
this.hasDelegateAuthenticationRealm());*
it should be:
* PrincipalForApplicationUser principal = this.lookupPrincipal(username,
false);*
Or was it on purpose to auto create new delegate user on every login
attempt?
Regards
Vladimir
Re: Issue in isis-module-security - in combination with delegateAuthenticationRealm
Posted by Vladimir Nišević <vn...@gmail.com>.
Hi, understand, ok, will give a try!
Regs,Vladimir
2016-12-01 16:37 GMT+01:00 Dan Haywood <da...@haywood-associates.co.uk>:
> Yes, not a bug but a feature :-) However, if you want to create a PR to
> make the behaviour configurable, will be very happy to review.
>
> Cheers
> Dan
>
> On Thu, 1 Dec 2016 at 15:32 Vladimir Nišević <vn...@gmail.com> wrote:
>
> > Hi, I am using security module in combination with our Active Directory:
> >
> > 1. Roles and delegate users (without passwords) are created in Isis
> > security module
> > 2. Authentication is done thru company Active Directory
> >
> >
> > I think, I've found an issue in this setup: As part of login procedure,
> if
> > the user doesn't exist in Isis security, it will be automatically created
> > as new delegate user (with Status=Disabled). This leads to potentially
> many
> > users in security module, every time when somebody e.g. mistypes the
> > username.
> >
> >
> > Here my shiro.ini
> >
> > *[main]*
> > *isisModuleSecurityRealm =
> > org.isisaddons.module.security.shiro.IsisModuleSecurityRealm*
> > *authenticationStrategy =
> >
> > org.isisaddons.module.security.shiro.AuthenticationStrategyForIsisM
> oduleSecurityRealm*
> > *securityManager.authenticator.authenticationStrategy =
> > $authenticationStrategy*
> > *securityManager.realms = $isisModuleSecurityRealm*
> > *isisModuleSecurityRealm.delegateAuthenticationRealm=$
> activeDirectoryRealm*
> > *activeDirectoryRealm =
> > org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm*
> > *activeDirectoryRealm.searchBase =*********
> > *activeDirectoryRealm.url = ******
> >
> > I think the bug is in the class
> >
> > org.isisaddons.module.security.shiro.IsisModuleSecurityRealm
> >
> > line 48:
> > * PrincipalForApplicationUser principal = this.lookupPrincipal(username,
> > this.hasDelegateAuthenticationRealm());*
> >
> > it should be:
> > * PrincipalForApplicationUser principal = this.lookupPrincipal(username,
> > false);*
> >
> > Or was it on purpose to auto create new delegate user on every login
> > attempt?
> >
> >
> > Regards
> > Vladimir
> >
>
Re: Issue in isis-module-security - in combination with delegateAuthenticationRealm
Posted by Dan Haywood <da...@haywood-associates.co.uk>.
Yes, not a bug but a feature :-) However, if you want to create a PR to
make the behaviour configurable, will be very happy to review.
Cheers
Dan
On Thu, 1 Dec 2016 at 15:32 Vladimir Nišević <vn...@gmail.com> wrote:
> Hi, I am using security module in combination with our Active Directory:
>
> 1. Roles and delegate users (without passwords) are created in Isis
> security module
> 2. Authentication is done thru company Active Directory
>
>
> I think, I've found an issue in this setup: As part of login procedure, if
> the user doesn't exist in Isis security, it will be automatically created
> as new delegate user (with Status=Disabled). This leads to potentially many
> users in security module, every time when somebody e.g. mistypes the
> username.
>
>
> Here my shiro.ini
>
> *[main]*
> *isisModuleSecurityRealm =
> org.isisaddons.module.security.shiro.IsisModuleSecurityRealm*
> *authenticationStrategy =
>
> org.isisaddons.module.security.shiro.AuthenticationStrategyForIsisModuleSecurityRealm*
> *securityManager.authenticator.authenticationStrategy =
> $authenticationStrategy*
> *securityManager.realms = $isisModuleSecurityRealm*
> *isisModuleSecurityRealm.delegateAuthenticationRealm=$activeDirectoryRealm*
> *activeDirectoryRealm =
> org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm*
> *activeDirectoryRealm.searchBase =*********
> *activeDirectoryRealm.url = ******
>
> I think the bug is in the class
>
> org.isisaddons.module.security.shiro.IsisModuleSecurityRealm
>
> line 48:
> * PrincipalForApplicationUser principal = this.lookupPrincipal(username,
> this.hasDelegateAuthenticationRealm());*
>
> it should be:
> * PrincipalForApplicationUser principal = this.lookupPrincipal(username,
> false);*
>
> Or was it on purpose to auto create new delegate user on every login
> attempt?
>
>
> Regards
> Vladimir
>