Principal name from realms should not be pure user input -------------------------------------------------------- Key: ELY-865 URL: https://issues.jboss.org/browse/ELY-865 Project: WildFly Elytron Issue Type: Bug Reporter: Jan Kalina Assignee: Jan Kalina Priority: Critical All security realm now provides user-provided username as realmIdentity principal. That can be problem, if identity search is case-insensitive - for example: * Lets have filesystem realm on windows - user will write "FIRSTuser", because filesystem is caseinsensitive realm will correctly found "firstUser" - but it can obtain two different NamePrincipals - the same user can act as two different users for application running on AS - it can be security problem * the same problem can occure if LDAP search is case-insensitive - not sure, but I think this is case of Active Directory * the same can probably occure for JDBC, if database column is defined as case-insensitive