You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@streampark.apache.org by mo...@apache.org on 2022/11/08 07:10:14 UTC

[incubator-streampark] branch ldapp created (now 51f9a3bf4)

This is an automated email from the ASF dual-hosted git repository.

monster pushed a change to branch ldapp
in repository https://gitbox.apache.org/repos/asf/incubator-streampark.git


      at 51f9a3bf4 [cherry-pick] Fix vulnerability in LDAP login

This branch includes the following new commits:

     new 51f9a3bf4 [cherry-pick] Fix vulnerability in LDAP login

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.

[incubator-streampark] 01/01: [cherry-pick] Fix vulnerability in LDAP login

Posted by mo...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

monster pushed a commit to branch ldapp
in repository https://gitbox.apache.org/repos/asf/incubator-streampark.git

commit 51f9a3bf4143db523d61008479012c81996f2ae7
Author: Monster <25...@qq.com>
AuthorDate: Tue Nov 8 15:09:52 2022 +0800

    [cherry-pick] Fix vulnerability in LDAP login
---
 streampark-console/streampark-console-service/pom.xml   |  5 +++++
 .../console/system/security/impl/ldap/LdapService.java  | 17 ++++-------------
 2 files changed, 9 insertions(+), 13 deletions(-)

diff --git a/streampark-console/streampark-console-service/pom.xml b/streampark-console/streampark-console-service/pom.xml
index a0ee18875..b484e857b 100644
--- a/streampark-console/streampark-console-service/pom.xml
+++ b/streampark-console/streampark-console-service/pom.xml
@@ -177,6 +177,11 @@
             <artifactId>spring-boot-starter-validation</artifactId>
         </dependency>
 
+        <dependency>
+            <groupId>org.springframework.ldap</groupId>
+            <artifactId>spring-ldap-core</artifactId>
+        </dependency>
+
         <!-- shiro-spring -->
         <dependency>
             <groupId>org.apache.shiro</groupId>
diff --git a/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/system/security/impl/ldap/LdapService.java b/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/system/security/impl/ldap/LdapService.java
index 14bd68928..f1b8ebe2d 100644
--- a/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/system/security/impl/ldap/LdapService.java
+++ b/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/system/security/impl/ldap/LdapService.java
@@ -19,10 +19,9 @@ package org.apache.streampark.console.system.security.impl.ldap;
 
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.StringUtils;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.ldap.filter.EqualsFilter;
 import org.springframework.stereotype.Component;
 
 import javax.naming.Context;
@@ -42,8 +41,6 @@ import java.util.Properties;
 @Slf4j
 public class LdapService {
 
-    private static final Logger LOG = LoggerFactory.getLogger(LdapService.class);
-
     @Value("${ldap.urls:#{null}}")
     private String ldapUrls;
 
@@ -75,22 +72,16 @@ public class LdapService {
     public String ldapLogin(String userId, String userPwd) {
         Properties searchEnv = getManagerLdapEnv();
         try {
-            //Connect to the LDAP server and Authenticate with a service user of whom we know the DN and credentials
             LdapContext ctx = new InitialLdapContext(searchEnv, null);
             SearchControls sc = new SearchControls();
             sc.setReturningAttributes(new String[]{ldapEmailAttribute});
             sc.setSearchScope(SearchControls.SUBTREE_SCOPE);
-            String searchFilter = String.format("(%s=%s)", ldapUserIdentifyingAttribute, userId);
-
-            //Search for the user you want to authenticate, search him with some attribute
-            NamingEnumeration<SearchResult> results = ctx.search(ldapBaseDn, searchFilter, sc);
-            // NamingEnumeration answer = ctx.search(usersContainer, "     (objectclass=group)", ctls);
+            EqualsFilter filter = new EqualsFilter(ldapUserIdentifyingAttribute, userId);
+            NamingEnumeration<SearchResult> results = ctx.search(ldapBaseDn, filter.toString(), sc);
             if (results.hasMore()) {
-                // get the users DN (distinguishedName) from the result
                 SearchResult result = results.next();
                 NamingEnumeration attrs = result.getAttributes().getAll();
                 while (attrs.hasMore()) {
-                    //Open another connection to the LDAP server with the found DN and the password
                     searchEnv.put(Context.SECURITY_PRINCIPAL, result.getNameInNamespace());
                     searchEnv.put(Context.SECURITY_CREDENTIALS, userPwd);
                     try {
@@ -128,7 +119,7 @@ public class LdapService {
 
     public LdapUserNotExistActionType getLdapUserNotExistAction() {
         if (StringUtils.isBlank(ldapUserNotExistAction)) {
-            LOG.info("security.authentication.ldap.user.not.exist.action configuration is empty, the default value 'CREATE'");
+            log.info("security.authentication.ldap.user.not.exist.action configuration is empty, the default value 'CREATE'");
             return LdapUserNotExistActionType.CREATE;
         }