Spring Security
  1. Spring Security
  2. SEC-1848

AbstractLdapAuthenticator must escape username

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 3.1.0.RC2, 3.0.7
    • Fix Version/s: 3.0.8, 3.1.0
    • Component/s: LDAP
    • Labels:
      None

      Description

      AbstractLdapAuthenticator.getUserDns() must escape provided username before fomatting it into userDnFormat. It should use LdapEncoder.nameEncode().

        Activity

        Hide
        Luke Taylor added a comment -

        Thanks for spotting this. I've added the encoding to the name value when using the userDns approach.

        Show
        Luke Taylor added a comment - Thanks for spotting this. I've added the encoding to the name value when using the userDns approach.
        Hide
        Vít Novák added a comment -

        Unfortunately this change has broken our authentication mechanism. The reason is simple, we first do the search manually with LdapTemplate#search and then we use the distinguishedName to authenticate.

        The test could look like this:

          @Test
          public void testAuthenticationWithDistinguishedName() {
            authenticator.setUserDnPatterns(new String[] { "{0}" });
            authenticator.authenticate(new UsernamePasswordAuthenticationToken("uid=bob,ou=people", "bobspassword"));
          }
        

        And it fails with

        org.springframework.ldap.BadLdapGrammarException: 
        Failed to parse DN; nested exception is org.springframework.ldap.core.TokenMgrError: 
        Lexical error at line 1, column 4.  Encountered: "\\" (92), after : ""
        

        I am not sure if this is correct usage, anyway could the encoding be configurable?

        Show
        Vít Novák added a comment - Unfortunately this change has broken our authentication mechanism. The reason is simple, we first do the search manually with LdapTemplate#search and then we use the distinguishedName to authenticate. The test could look like this: @Test public void testAuthenticationWithDistinguishedName() { authenticator.setUserDnPatterns( new String [] { "{0}" }); authenticator.authenticate( new UsernamePasswordAuthenticationToken( "uid=bob,ou=people" , "bobspassword" )); } And it fails with org.springframework.ldap.BadLdapGrammarException: Failed to parse DN; nested exception is org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 4. Encountered: "\\" (92), after : "" I am not sure if this is correct usage, anyway could the encoding be configurable?

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Mikhail Mazursky
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: