[jboss-jira] [JBoss JIRA] (ELY-760) Elytron Ldap Realm searches roles before validating password
[
https://issues.jboss.org/browse/ELY-760?page=com.atlassian.jira.plugin.sy...
]
Jan Kalina commented on ELY-760:
--------------------------------
This mean to divide LdapSecurityRealm.getIdentity(), so extractFilteredAttributes() will
be called as part of getAuthorizationIdentity() or getAttributes().
This mean to change design - LdapIdentity.attributes will not be final anymore, will be
lazy loaded.
Elytron Ldap Realm searches roles before validating password
------------------------------------------------------------
Key: ELY-760
URL: https://issues.jboss.org/browse/ELY-760
Project: WildFly Elytron
Issue Type: Bug
Components: Realms
Affects Versions: 1.1.0.Beta13
Reporter: Ondrej Lukas
Assignee: Darran Lofthouse
Priority: Critical
In Ldap Realm roles are searched before actual user password is validated. Ldap Realm
uses following flow:
# searching for username
# searching for roles (i.e. searching for attributes)
# validating password for username
It means even if wrong password is used then roles in LDAP are searched. Password should
be validated before some roles are searched. Current behavior can result to performance
issues.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)