Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-7947

Elytron ldap-realm allows access with empty password

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • 7.1.0.DR11
    • 7.1.0.DR9
    • Security
    • None
    • Hide

      1) import user jduke with password Password1 and role JBossAdmin to Microsoft Active Directory
      2) configure application server through CLI commands:

      /subsystem=elytron/dir-context=dir-context-ad:add(url="$AD_URL",principal="$AD_PRINCIPAL",credential="$AD_CREDENTIAL")
/subsystem=elytron/ldap-realm=ad-ldap-realm:add(dir-context=dir-context-ad,direct-verification=true,identity-mapping={rdn-identifier=cn,search-base-dn="$AD_BASE_DN",use-recursive-search=true,attribute-mapping=[{filter-base-dn="$AD_BASE_DN",filter="(member={0})",from=cn,to=groups}]})
/subsystem=elytron/security-domain=ldap-security-domain:add(realms=[{realm=ad-ldap-realm,role-decoder=groups-to-roles}],default-realm=ad-ldap-realm,permission-mapper=login-permission-mapper)
/subsystem=elytron/http-authentication-factory=ldap-ad-http-authentication-factory:add(http-server-mechanism-factory=global,security-domain=ldap-security-domain,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name="Ldap Elytron"}]}])
/subsystem=undertow/application-security-domain=print-roles:add(http-authentication-factory=ldap-ad-http-authentication-factory)

      3) deploy testing application (see attachments)
      4) access http://localhost:8080/print-roles/protected/printRoles?role=JBossAdmin and try to with user jduke and with empty password - access to application is granted

      Show
      1) import user jduke with password Password1 and role JBossAdmin to Microsoft Active Directory 2) configure application server through CLI commands: /subsystem=elytron/dir-context=dir-context-ad:add(url= "$AD_URL" ,principal= "$AD_PRINCIPAL" ,credential= "$AD_CREDENTIAL" ) /subsystem=elytron/ldap-realm=ad-ldap-realm:add(dir-context=dir-context-ad,direct-verification= true ,identity-mapping={rdn-identifier=cn,search-base-dn= "$AD_BASE_DN" ,use-recursive-search= true ,attribute-mapping=[{filter-base-dn= "$AD_BASE_DN" ,filter= "(member={0})" ,from=cn,to=groups}]}) /subsystem=elytron/security-domain=ldap-security-domain:add(realms=[{realm=ad-ldap-realm,role-decoder=groups-to-roles}], default -realm=ad-ldap-realm,permission-mapper=login-permission-mapper) /subsystem=elytron/http-authentication-factory=ldap-ad-http-authentication-factory:add(http-server-mechanism-factory=global,security-domain=ldap-security-domain,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name= "Ldap Elytron" }]}]) /subsystem=undertow/application-security-domain=print-roles:add(http-authentication-factory=ldap-ad-http-authentication-factory) 3) deploy testing application (see attachments) 4) access http://localhost:8080/print-roles/protected/printRoles?role=JBossAdmin and try to with user jduke and with empty password - access to application is granted

      An empty password is treated as an anonymous login by some LDAP servers (e.g. by Microsoft Active Directory). In case when Elytron ldap-realm is configured for that type of LDAP server then access with empty password to secured web resource guarded by that ldap-realm is always granted.

      There should be some attribute for configuring whether empty password should be accepted by ldap-realm.

      Similar issue occurs in previous versions of application server, see:

        1. print-roles.war
          5 kB

              jkalina@redhat.com Jan Kalina (Inactive)
              olukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: