[jboss-jira] [JBoss JIRA] (ELY-760) Elytron Ldap Realm searches roles before validating password
Jan Kalina (JIRA)
issues at jboss.org
Wed Jan 11 12:48:00 EST 2017
[ https://issues.jboss.org/browse/ELY-760?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13346734#comment-13346734 ]
Jan Kalina commented on ELY-760:
--------------------------------
This mean to divide LdapSecurityRealm.getIdentity(), so extractFilteredAttributes() will be called as part of getAuthorizationIdentity() or getAttributes().
This mean to change design - LdapIdentity.attributes will not be final anymore, will be lazy loaded.
> Elytron Ldap Realm searches roles before validating password
> ------------------------------------------------------------
>
> Key: ELY-760
> URL: https://issues.jboss.org/browse/ELY-760
> Project: WildFly Elytron
> Issue Type: Bug
> Components: Realms
> Affects Versions: 1.1.0.Beta13
> Reporter: Ondrej Lukas
> Assignee: Darran Lofthouse
> Priority: Critical
>
> In Ldap Realm roles are searched before actual user password is validated. Ldap Realm uses following flow:
> # searching for username
> # searching for roles (i.e. searching for attributes)
> # validating password for username
> It means even if wrong password is used then roles in LDAP are searched. Password should be validated before some roles are searched. Current behavior can result to performance issues.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list