Uploaded image for project: 'Jetspeed 2 (Retired)'
  1. Jetspeed 2 (Retired)
  2. JS2-221

Current SecurityAccess Implementation prevent mutli-authentication provider mechanism work

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Fixed
    • 2.0-M2
    • 2.0-dev/cvs, 2.0-M2
    • Security
    • None
    • Microsoft Windows XP with SP2
      J2SDK 1.4.2_07

    Description

      When I have two authentication providers(database authentication provider and ldap authentication provider). At the first time, I login with an principal which is defined in the ldap, I can successfully login. For the second time, this user's authentication provider will change to the default database, cause J2 will create an mapping only principal in table SECURITY_PRINCIPAL. Of course, I fail to login.

      I think it should not return the database authentication provider, it should return the real authentication provider.

      I change the code in class: org.apache.jetspeed.security.spi.impl.SecurityAccessImpl
      The orginal code:
      /**

      • <p>
      • Returns if a Internal UserPrincipal is defined for the user name.
      • </p>
      • @param username The user name.
      • @return true if the user is known
        */
        public boolean isKnownUser(String username) { UserPrincipal userPrincipal = new UserPrincipalImpl(username); String fullPath = userPrincipal.getFullPath(); // Get user. Criteria filter = new Criteria(); filter.addEqualTo("fullPath", fullPath); Query query = QueryFactory.newQuery(InternalUserPrincipalImpl.class, filter); return getPersistenceBrokerTemplate().getCount(query) == 1; }

      Code after I modified:
      /**

      • <p>
      • Returns if a Internal UserPrincipal is defined for the user name.
      • The Jetspeed 2 implementation does not distinguish if this user
      • is a Mapping_Only user. I think we have to distinguish it cause it will
      • return the wrong Authentication Provider.
      • An alternative solution is: we binding the username and Authentication Provider
      • for the first time login, then cache it in the memory or something,
      • then we don't need to change here.
      • </p>
      • @param username The user name.
      • @return true if the user is known
        */
        public boolean isKnownUser(String username) { UserPrincipal userPrincipal = new UserPrincipalImpl(username); String fullPath = userPrincipal.getFullPath(); // Get user. Criteria filter = new Criteria(); // fullPath must be equal. filter.addEqualTo("fullPath", fullPath); // The isMappingOnly must not be true. // We don't need the mapping only user, mapping user can't be authenticated with this provider. // we just need the true user. filter.addEqualTo("isMappingOnly", Boolean.FALSE); Query query = QueryFactory.newQuery(InternalUserPrincipalImpl.class, filter); return getPersistenceBrokerTemplate().getCount(query) == 1; }

      Attachments

        Activity

          People

            ate Ate Douma
            norwaywoods Jian Liao
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: