[MAGNOLIA-3561] RescueSecuritySupport is incomplete Created: 23/Feb/11  Updated: 29/Jul/11  Resolved: 29/Jul/11

Status: Closed
Project: Magnolia
Component/s: core, security
Affects Version/s: None
Fix Version/s: 4.4.5

Type: Bug Priority: Critical
Reporter: Magnolia International Assignee: Federico Grilli
Resolution: Fixed Votes: 2
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: Text File AccountNotFoundException.txt    
Issue Links:
dependency
is depended upon by MGNLGROOVY-36 Groovy rescue servlet does not work w... Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:

 Description   

Since MAGNOLIA-1699 and MAGNOLIA-1707, users are stored in sub folders. RescueSecuritySupport should therefore, at the minimum, call setRealm("system") on the UserManager instances it configures.

Better, it should actually provide "fake" user instances, instead of relying on the repository (which might have been corrupted as well)



 Comments   
Comment by Philipp Bärfuss [ 08/Mar/11 ]

Increasing the priority as this has to work to rescue damaged instances.

Comment by Antti Hietala [ 01/Jul/11 ]

Voting up. This issue is marked critical but it is not assign to anyone. Please assign an owner.

Instructions on wiki page Messed up security do not work with Magnolia 4.4.4.

To reproduce:

  1. Add the RescueSecuritySupport line to magnolia.properties.
  2. Start Magnolia
  3. Attempt to log in with an account that is locked out or whose password you can't remember.


Expected outcome: Security is bypassed. You can log in and fix the configuration.
Actual outcome: System throws AccountNotFoundException. No access granted. Error log attached.

Comment by Daniel Lipp [ 28/Jul/11 ]

to be backported to trunk

Comment by Federico Grilli [ 29/Jul/11 ]

ported to 5.0

Comment by Federico Grilli [ 29/Jul/11 ]

ported to 5.0

Generated at Mon Feb 12 03:47:38 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.