[DOCU-470] Login handler can be bypassed in CAS module with incorrect setting Created: 12/Sep/13  Updated: 21/May/14  Resolved: 21/May/14

Status: Closed
Project: Documentation
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Neutral
Reporter: Milan Divilek Assignee: Gavan Stockdale
Resolution: Duplicate Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
duplicate

 Description   

To understand problem see MGNLCAS-7.

There are two ways how to avoid this behaviour:
1. Disable Config:/server/filters/login/form (info.magnolia.cms.security.auth.login.FormLogin) handler
NOTE: This disable login of magnolia user for example superuser by http://localhost:8080/magnoliaAuthor/.magnolia/page/adminCentral.html?mgnlUserId=superuser&mgnlUserPSWD=superuser

2.Split info.magnolia.jaas.sp.jcr.JCRAuthenticationModule and info.magnolia.jaas.sp.ldap.ADAuthenticationModule into different jaas login chain
For example: Add jaasChain property to Config:/server/filters/login/ntlm/ with value magnolia-ntlm. And change jaas.config from configuration described at http://documentation.magnolia-cms.com/display/DOCS45/CAS+Connector+module#CASConnectormodule-ConfiguringJAAS to

magnolia {
  info.magnolia.jaas.sp.jcr.JCRAuthenticationModule required;
  info.magnolia.jaas.sp.jcr.JCRAuthorizationModule required;
};

magnolia-ntlm {
  info.magnolia.jaas.sp.ldap.ADAuthenticationModule required realm=external;
  info.magnolia.jaas.sp.jcr.JCRAuthorizationModule required;
}

Generated at Mon Feb 12 01:09:23 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.