[magnolia-dev] [JIRA] (DOCU-470) Login handler can be bypassed in CAS module with incorrect setting

[JIRA (on behalf of Milan Divilek)]

Milan Divilek created DOCU-470 Login handler can be bypassed in CAS module with incorrect setting Issue Type: Improvement Assignee: Antti Hietala Created: 12/Sep/13 5:13 PM Description: To understand problem see MGNLCAS-7. There are two ways how to avoid this behaviour: 1. Disable Config:/server/filters/login/form (info.magnolia.cms.security.auth.login.FormLogin) handler NOTE: This disable login of magnolia user for example superuser by http://localhost:8080/magnoliaAuthor/.magnolia/page/adminCentral.html?mgnlUserId=superuser&mgnlUserPSWD=superuser 2.Split info.magnolia.jaas.sp.jcr.JCRAuthenticationModule and info.magnolia.jaas.sp.ldap.ADAuthenticationModule into different jaas login chain For example: Add jaasChain property to Config:/server/filters/login/ntlm/ with value magnolia-ntlm. And change jaas.config from configuration described at http://documentation.magnolia-cms.com/display/DOCS45/CAS+Connector+module#CASConnectormodule-ConfiguringJAAS to magnolia { info.magnolia.jaas.sp.jcr.JCRAuthenticationModule required; info.magnolia.jaas.sp.jcr.JCRAuthorizationModule required; }; magnolia-ntlm { info.magnolia.jaas.sp.ldap.ADAuthenticationModule required realm=external; info.magnolia.jaas.sp.jcr.JCRAuthorizationModule required; } Project: Documentation Priority: Neutral Reporter: Milan Divilek Security Level: Public

This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

---

----------------------------------------------------------------
For list details, see: http://www.magnolia-cms.com/community/mailing-lists.html
Alternatively, use our forums: http://forum.magnolia-cms.com/
To unsubscribe, E-mail to: <dev-list-unsubscr...@magnolia-cms.com>
----------------------------------------------------------------