Uploaded image for project: 'Documentation'
  1. Documentation
  2. DOCU-470

Login handler can be bypassed in CAS module with incorrect setting

    XMLWordPrintable

Details

    • Improvement
    • Resolution: Duplicate
    • Neutral
    • None
    • None
    • None
    • None

    Description

      To understand problem see MGNLCAS-7.

      There are two ways how to avoid this behaviour:
      1. Disable Config:/server/filters/login/form (info.magnolia.cms.security.auth.login.FormLogin) handler
      NOTE: This disable login of magnolia user for example superuser by http://localhost:8080/magnoliaAuthor/.magnolia/page/adminCentral.html?mgnlUserId=superuser&mgnlUserPSWD=superuser

      2.Split info.magnolia.jaas.sp.jcr.JCRAuthenticationModule and info.magnolia.jaas.sp.ldap.ADAuthenticationModule into different jaas login chain
      For example: Add jaasChain property to Config:/server/filters/login/ntlm/ with value magnolia-ntlm. And change jaas.config from configuration described at http://documentation.magnolia-cms.com/display/DOCS45/CAS+Connector+module#CASConnectormodule-ConfiguringJAAS to

      magnolia {
        info.magnolia.jaas.sp.jcr.JCRAuthenticationModule required;
        info.magnolia.jaas.sp.jcr.JCRAuthorizationModule required;
      };
      
      magnolia-ntlm {
        info.magnolia.jaas.sp.ldap.ADAuthenticationModule required realm=external;
        info.magnolia.jaas.sp.jcr.JCRAuthorizationModule required;
      }
      

      Checklists

        Acceptance criteria

        Attachments

          Activity

            People

              gstockdale Gavan Stockdale
              mdivilek Milan Divilek
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: