Hi Dan, here the adapted file https://github.com/niv0/isis-module-security/blob/5cd324a655347ff7a148326d46a5ec612bd0f22c/dom/src/main/java/org/isisaddons/module/security/shiro/IsisModuleSecurityRealm.java
I've made also an PR, but somehow it was mixed up with some previous PR which is still pending on github. The behavior is configurable thru next property in shiro.ini isisModuleSecurityRealm.autoCreateUser=true BR,Vladimir 2016-12-01 16:43 GMT+01:00 Vladimir Nišević <vnise...@gmail.com>: > Hi, understand, ok, will give a try! > > Regs,Vladimir > > > 2016-12-01 16:37 GMT+01:00 Dan Haywood <d...@haywood-associates.co.uk>: > >> Yes, not a bug but a feature :-) However, if you want to create a PR to >> make the behaviour configurable, will be very happy to review. >> >> Cheers >> Dan >> >> On Thu, 1 Dec 2016 at 15:32 Vladimir Nišević <vnise...@gmail.com> wrote: >> >> > Hi, I am using security module in combination with our Active Directory: >> > >> > 1. Roles and delegate users (without passwords) are created in Isis >> > security module >> > 2. Authentication is done thru company Active Directory >> > >> > >> > I think, I've found an issue in this setup: As part of login procedure, >> if >> > the user doesn't exist in Isis security, it will be automatically >> created >> > as new delegate user (with Status=Disabled). This leads to potentially >> many >> > users in security module, every time when somebody e.g. mistypes the >> > username. >> > >> > >> > Here my shiro.ini >> > >> > *[main]* >> > *isisModuleSecurityRealm = >> > org.isisaddons.module.security.shiro.IsisModuleSecurityRealm* >> > *authenticationStrategy = >> > >> > org.isisaddons.module.security.shiro.AuthenticationStrategyF >> orIsisModuleSecurityRealm* >> > *securityManager.authenticator.authenticationStrategy = >> > $authenticationStrategy* >> > *securityManager.realms = $isisModuleSecurityRealm* >> > *isisModuleSecurityRealm.delegateAuthenticationRealm=$active >> DirectoryRealm* >> > *activeDirectoryRealm = >> > org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm* >> > *activeDirectoryRealm.searchBase =********* >> > *activeDirectoryRealm.url = ****** >> > >> > I think the bug is in the class >> > >> > org.isisaddons.module.security.shiro.IsisModuleSecurityRealm >> > >> > line 48: >> > * PrincipalForApplicationUser principal = >> this.lookupPrincipal(username, >> > this.hasDelegateAuthenticationRealm());* >> > >> > it should be: >> > * PrincipalForApplicationUser principal = this.lookupPrincipal(username, >> > false);* >> > >> > Or was it on purpose to auto create new delegate user on every login >> > attempt? >> > >> > >> > Regards >> > Vladimir >> > >> > >
