[jboss-jira] [JBoss JIRA] (ELY-865) Principal name from realms should not be pure user input

Jan Kalina (JIRA) issues at jboss.org
Tue Jan 10 14:15:00 EST 2017 

     [ https://issues.jboss.org/browse/ELY-865?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jan Kalina updated ELY-865:
---------------------------
    Description: 
All security realm now provides user-provided username as realmIdentity principal.
That can be problem, if identity search is case-insensitive - for example:

* Lets have filesystem realm on windows - user will write "FIRSTuser", because filesystem is caseinsensitive realm will correctly found "firstUser" - but it can obtain two different NamePrincipals - the same user can be two different users for application running on AS, which can be security problem
* the same problem can occure if LDAP search is case-insensitive - not sure, but I think this is case of Active Directory
* the same can probably occure for JDBC, if database column is defined as case-insensitive

  was:
All security realm now provides user-provided username as realmIdentity principal.
That can be problem, if identity search is case-insensitive - for example:

* Lets have filesystem realm on windows - user will write "FIRSTuser", because filesystem is caseinsensitive realm will correctly found "firstUser" - but it can obtain two different NamePrincipals - the same user can be two different users for application running on AS
* the same problem can occure if LDAP search is case-insensitive - not sure, but I think this is case of Active Directory
* the same can probably occure for JDBC, if database column is defined as case-insensitive



> Principal name from realms should not be pure user input
> --------------------------------------------------------
>
>                 Key: ELY-865
>                 URL: https://issues.jboss.org/browse/ELY-865
>             Project: WildFly Elytron
>          Issue Type: Bug
>            Reporter: Jan Kalina
>            Assignee: Jan Kalina
>            Priority: Critical
>
> All security realm now provides user-provided username as realmIdentity principal.
> That can be problem, if identity search is case-insensitive - for example:
> * Lets have filesystem realm on windows - user will write "FIRSTuser", because filesystem is caseinsensitive realm will correctly found "firstUser" - but it can obtain two different NamePrincipals - the same user can be two different users for application running on AS, which can be security problem
> * the same problem can occure if LDAP search is case-insensitive - not sure, but I think this is case of Active Directory
> * the same can probably occure for JDBC, if database column is defined as case-insensitive



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list