-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ldap - avoid providing sensitive (hashed password) on the /whoami endpoint #110
base: main
Are you sure you want to change the base?
Conversation
5c10f69
to
8f15546
Compare
Tests are broken, because the testcontainer LDAP is running on a different port than the one set into the java properties, weirdly enough. |
Race condition when launching tests in parallel, using java properties to pass the infos related to connecting to the LDAP is not thread-safe ; using the following maven-failsafe configuration makes it, but takes longer:
|
ouch. scary :) |
…point This is a kind of revisit of the PR#88.
8f15546
to
985a028
Compare
For the record, the modifications have been introduced in order to allow a connection using the email instead of the uid. I have the feeling that:
Might need revisit, if authentication by e-mail is still a need ? Not even sure. But in the scope of another PR. |
Should have been done in the context of PR #50, but better late than never.
0bd1984
to
fcec37a
Compare
74698bf
to
4660e3a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tested and works for me :)
This is a kind of a revisit of the PR #88. The default mapper provided by Spring security maps all the fields retrieved from the LDAP, including the
userPassword
. Even if hashed, I think it it safer not to have the endpoint revealing such information.This PR suggests to use a mapper which always return null when calling
mapPassword
.Note: When working on this one, I first began to patch the case when authenticated onto an Extended/geOrchestra LDAP, then I introduced a new profile to test a case with an LDAP not declared as extended (simply a copy/paste of the previous one, with LDAP extended property set to false), and stumbled upon some modifications introduced in https://github.com/georchestra/georchestra-gateway/pull/50/files that I could not make sense of: from the
basic
ldap package classes, we are creating aExtendedLdapAuthenticationProvider
? For me it does not make sense, and we should revert the previously introduced modifications onto the LdapAuthenticatorProviderBuilder.java class.