Re: Issue in isis-module-security - in combination with delegateAuthenticationRealm

[Dan Haywood]

Yes, not a bug but a feature :-)  However, if you want to create a PR to
make the behaviour configurable, will be very happy to review.

Cheers
Dan

On Thu, 1 Dec 2016 at 15:32 Vladimir Nišević <vnise...@gmail.com> wrote:

> Hi, I am using security module in combination with our Active Directory:
>
>    1. Roles and delegate users (without passwords) are created in Isis
>    security module
>    2. Authentication is done thru company Active Directory
>
>
> I think, I've found an issue in this setup: As part of login procedure, if
> the user doesn't exist in Isis security, it will be automatically created
> as new delegate user (with Status=Disabled). This leads to potentially many
> users in security module, every time when somebody e.g. mistypes the
> username.
>
>
> Here my shiro.ini
>
> *[main]*
> *isisModuleSecurityRealm =
> org.isisaddons.module.security.shiro.IsisModuleSecurityRealm*
> *authenticationStrategy =
>
> org.isisaddons.module.security.shiro.AuthenticationStrategyForIsisModuleSecurityRealm*
> *securityManager.authenticator.authenticationStrategy =
> $authenticationStrategy*
> *securityManager.realms = $isisModuleSecurityRealm*
> *isisModuleSecurityRealm.delegateAuthenticationRealm=$activeDirectoryRealm*
> *activeDirectoryRealm =
> org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm*
> *activeDirectoryRealm.searchBase =*********
> *activeDirectoryRealm.url = ******
>
> I think the bug is in the class
>
> org.isisaddons.module.security.shiro.IsisModuleSecurityRealm
>
> line 48:
> *  PrincipalForApplicationUser principal = this.lookupPrincipal(username,
> this.hasDelegateAuthenticationRealm());*
>
> it should be:
> * PrincipalForApplicationUser principal = this.lookupPrincipal(username,
> false);*
>
> Or was it on purpose to auto create new delegate user on every login
> attempt?
>
>
> Regards
> Vladimir
>