Hi, I am using security module in combination with our Active Directory: 1. Roles and delegate users (without passwords) are created in Isis security module 2. Authentication is done thru company Active Directory
I think, I've found an issue in this setup: As part of login procedure, if the user doesn't exist in Isis security, it will be automatically created as new delegate user (with Status=Disabled). This leads to potentially many users in security module, every time when somebody e.g. mistypes the username. Here my shiro.ini *[main]* *isisModuleSecurityRealm = org.isisaddons.module.security.shiro.IsisModuleSecurityRealm* *authenticationStrategy = org.isisaddons.module.security.shiro.AuthenticationStrategyForIsisModuleSecurityRealm* *securityManager.authenticator.authenticationStrategy = $authenticationStrategy* *securityManager.realms = $isisModuleSecurityRealm* *isisModuleSecurityRealm.delegateAuthenticationRealm=$activeDirectoryRealm* *activeDirectoryRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm* *activeDirectoryRealm.searchBase =********* *activeDirectoryRealm.url = ****** I think the bug is in the class org.isisaddons.module.security.shiro.IsisModuleSecurityRealm line 48: * PrincipalForApplicationUser principal = this.lookupPrincipal(username, this.hasDelegateAuthenticationRealm());* it should be: * PrincipalForApplicationUser principal = this.lookupPrincipal(username, false);* Or was it on purpose to auto create new delegate user on every login attempt? Regards Vladimir
