Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-7866

Elytron ldap-realm allows access with empty password

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Blocker
    • 11.0.0.Alpha1
    • None
    • Security
    • None
    • Hide

      1) import user jduke with password Password1 and role JBossAdmin to Microsoft Active Directory
      2) configure application server through CLI commands:

      /subsystem=elytron/dir-context=dir-context-ad:add(url="$AD_URL",principal="$AD_PRINCIPAL",credential="$AD_CREDENTIAL")
/subsystem=elytron/ldap-realm=ad-ldap-realm:add(dir-context=dir-context-ad,direct-verification=true,identity-mapping={rdn-identifier=cn,search-base-dn="$AD_BASE_DN",use-recursive-search=true,attribute-mapping=[{filter-base-dn="$AD_BASE_DN",filter="(member={0})",from=cn,to=groups}]})
/subsystem=elytron/security-domain=ldap-security-domain:add(realms=[{realm=ad-ldap-realm,role-decoder=groups-to-roles}],default-realm=ad-ldap-realm,permission-mapper=login-permission-mapper)
/subsystem=elytron/http-authentication-factory=ldap-ad-http-authentication-factory:add(http-server-mechanism-factory=global,security-domain=ldap-security-domain,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name="Ldap Elytron"}]}])
/subsystem=undertow/application-security-domain=print-roles:add(http-authentication-factory=ldap-ad-http-authentication-factory)

      3) deploy testing application (see attachments)
      4) access http://localhost:8080/print-roles/protected/printRoles?role=JBossAdmin and try to with user jduke and with empty password - access to application is granted

      Show
      1) import user jduke with password Password1 and role JBossAdmin to Microsoft Active Directory 2) configure application server through CLI commands: /subsystem=elytron/dir-context=dir-context-ad:add(url= "$AD_URL" ,principal= "$AD_PRINCIPAL" ,credential= "$AD_CREDENTIAL" ) /subsystem=elytron/ldap-realm=ad-ldap-realm:add(dir-context=dir-context-ad,direct-verification= true ,identity-mapping={rdn-identifier=cn,search-base-dn= "$AD_BASE_DN" ,use-recursive-search= true ,attribute-mapping=[{filter-base-dn= "$AD_BASE_DN" ,filter= "(member={0})" ,from=cn,to=groups}]}) /subsystem=elytron/security-domain=ldap-security-domain:add(realms=[{realm=ad-ldap-realm,role-decoder=groups-to-roles}], default -realm=ad-ldap-realm,permission-mapper=login-permission-mapper) /subsystem=elytron/http-authentication-factory=ldap-ad-http-authentication-factory:add(http-server-mechanism-factory=global,security-domain=ldap-security-domain,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name= "Ldap Elytron" }]}]) /subsystem=undertow/application-security-domain=print-roles:add(http-authentication-factory=ldap-ad-http-authentication-factory) 3) deploy testing application (see attachments) 4) access http://localhost:8080/print-roles/protected/printRoles?role=JBossAdmin and try to with user jduke and with empty password - access to application is granted

    Description

      An empty password is treated as an anonymous login by some LDAP servers (e.g. by Microsoft Active Directory). In case when Elytron ldap-realm is configured for that type of LDAP server then access with empty password to secured web resource guarded by that ldap-realm is always granted.

      There should be some attribute for configuring whether empty password should be accepted by ldap-realm.

      Similar issue occurs in previous versions of application server, see:

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-7947 Elytron ldap-realm allows access with empty password

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Verified

          Bug - A problem that impairs or prevents the functions of the product. ELY-850 Elytron ldap-realm allows access with empty password

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Resolved
          is incorporated by

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. WFLY-7883 Upgrade to Elytron Subsystem 1.0.0.Alpha20

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              jkalina@redhat.com Jan Kalina (Inactive)
              jkalina@redhat.com Jan Kalina (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: