Uploaded image for project: 'PicketLink'
  1. PicketLink
  2. PLINK-384

Users can authenticate with invalid credentials into LDAP in concurrent environment

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • PLINK_2.6.0.CR2
    • PLINK_2.6.0.CR1
    • IDM
    • None

      Right now the instance of LdapContext used for authentication is shared in instance variable "authenticationContext" in LdapOperationManager. This means that in some cases in concurrent environment, it could happen that user can authenticate with invalid credentials and on the other hand, it could also happen that user with valid credentials won't be successfully authenticated.

      I am adding unit test ConcurrentLDAPAuthenticationTest. When you debug it, you can add breakpoint to LDAPOperationManager.authenticate right before line:

      this.authenticationContext.lookup(dn);
      

      and then wait until both threads will stop at it. In case that "user" with valid credentials is later, then authenticationContext will have credentials "user"/"password" and will successfully authenticate both users (including "evil" user, which shouldn't be authenticated). On the other hand when "evil" credentials are later, then both threads will use evil's credentials and authentication will fail for both.

      Note that there is also bug https://issues.apache.org/jira/browse/DIRSERVER-1548 in ApacheDS 1.5.7, which is used in unit tests and this causes that after failed authentication can't be same instance of authenticationContext used anyway as it always throws exception "ERR_732 Cannot process a Request while binding". This seems to be a problem just for ApacheDS 1.5.7, but using separate instances for each context is fixing this as well.

              mposolda@redhat.com Marek Posolda
              mposolda@redhat.com Marek Posolda
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: