[jira] [Commented] (SYNCOPE-454) Update user without password specification involving resource with "Generate password if missing" enabled, sends password out anyway

Tue, 03 Dec 2013 08:55:25 -0800 

    [ 
https://issues.apache.org/jira/browse/SYNCOPE-454?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13837895#comment-13837895
 ] 

Francesco Chicchiriccò commented on SYNCOPE-454:
------------------------------------------------

Simple code for showing this issue:
{code}
// 1. create user with LDAP resource (with 'Generate password if missing' 
enabled)
UserTO userTO = getUniqueSampleTO("[email protected]");
userTO.getResources().add(RESOURCE_NAME_LDAP);
userTO = createUser(userTO);
assertNotNull(userTO);
 
// 2. read resource configuration for LDAP binding
ResourceTO ldapRes = resourceService.read(RESOURCE_NAME_LDAP);
Map<String, ConnConfProperty> ldapConnConf = 
connectorService.read(ldapRes.getConnectorId()).getConfigurationMap();
ConnObjectTO connObject = 
resourceService.getConnectorObject(RESOURCE_NAME_LDAP, AttributableType.USER, 
userTO.getId());
 
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://"; + 
ldapConnConf.get("host").getValues().get(0)
  + ":" + ldapConnConf.get("port").getValues().get(0) + "/");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, 
connObject.getAttrMap().get("__NAME__").getValues().get(0));
env.put(Context.SECURITY_CREDENTIALS, "password123");
 
// 3. try (and succeed) to perform simple LDAP binding with provided password 
('password123')
new InitialDirContext(env);
 
// 4. update user without any password change request
UserMod userMod = new UserMod();
userMod.setId(userTO.getId());
userMod.setUsername(userTO.getUsername() + "XX");
 
userService.update(userTO.getId(), userMod);
 
// 5. try (and fail) to perform simple LDAP binding: password has changed
new InitialDirContext(env);
{code}

> Update user without password specification involving resource with "Generate 
> password if missing" enabled, sends password out anyway
> ------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: SYNCOPE-454
>                 URL: https://issues.apache.org/jira/browse/SYNCOPE-454
>             Project: Syncope
>          Issue Type: Bug
>          Components: core
>    Affects Versions: 1.1.5
>            Reporter: fabio martelli
>            Assignee: Francesco Chicchiriccò
>             Fix For: 1.1.6, 1.2.0
>
>
> Updating an existing user on an external resource with "Generate password if 
> missing" enabled, without requiring password update explicitly, autogenerated 
> password is sent by default.
> Of course, this is a WRONG behavior that can cause unexpected failures.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Reply via email to