shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Demers <brian.dem...@gmail.com>
Subject Re: Adding username case sensitivity handling to class org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
Date Fri, 19 Oct 2018 12:58:20 GMT
The number of different LDAP user schema (and variations on implementations
is just about unlimited)
https://xkcd.com/927/

Your proposal is just related to the group/role lookup search?  Can you put
together a PR with this?


On Fri, Oct 19, 2018 at 12:47 AM glen.chick <glen.chick@capgemini.com>
wrote:

> Hi,
>
> I am new to using Shiro - so, I may be wrong in the analysis below.
> If so, any feedback to sort errors in the assessment below would be MUCH
> appreciated.
> Alternatively - if the analysis below is roughly correct, then I am
> proposing the changes specified in the "Proposal" section below be
> considered.
>
> *Background*
> Currently, we are using Apache Shiro to Authenticate and Authorize users
> for
> a Zeppelin installation.
> Apache Shiro is configured to talk to Windows Active Directory (i.e. LDAP)
> using
> org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm class to
> configure an Active Directory Realm in the shiro.realms file.
>
> For a User called "John.Smith" we can delete a notebook in Zeppelin.
>
> However, if we try to delete the SAME notebook for a user called
> "john.smith"
> we receive the following alert/message:
>
> "Insifficient priviledges to rename note. But the user john.smith belongs
> to: [john.smith]".
>
> It **appears** that the shiro (i.e. Shiro is used by Zeppelin for
> authentication and authorization) handling of usernames is case-sensitive.
>
> This is an issue for our user base.
>
> When I looked at the username case-sensitivity handling in the LdapRealm
> file,
> org.apache.zeppelin.realm.LdapRealm,
> there is a boolean field userLowerCase which is used by the rolesFor method
> to set the username to lower case if the userLowerCase flag is true. i.e.
>
>
> /protected Set<String> rolesFor(PrincipalCollection principals, String
> userNameIn,
>           final LdapContext ldapCtx, final LdapContextFactory
> ldapContextFactory, Session session)
>           throws NamingException {
>     final Set<String> roleNames = new HashSet<>();
>     final Set<String> groupNames = new HashSet<>();
>     final String userName;
>     if (getUserLowerCase()) {
>       log.debug("userLowerCase true");
>       userName = userNameIn.toLowerCase();
>     } else {
>       userName = userNameIn;
> }
> /
>
>
> i.e. Username case sensitivity handling IS facilitated in
> org.apache.zeppelin.realm.LdapRealm class,
> BUT doesn't seem to be facilitated in the
> org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
> class.
>
> This **appears** to be inconsistent, and BOTH
> org.apache.zeppelin.realm.LdapRealm and
> org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm are, in the end
> - dealing with LDAP installations.
>
>
> *Proposal:*
> Add a field userCase to the
> org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm class.
> The "userCase" field could support the following values:
> - default.        (i.e. No case changes will be made to the username)
> - lowerCase    (i.e. The username will be converted to lower case.)
> - upperCase    (i.e. The username will be converted to upper case.)
> - properCase   (i.e. The username will be converted to proper case.)
>
> Suggestions on alternate ways to handle this issue would also be much
> appreciated!
>
>
> Thanks
>
>
> CHEERS - Glen Chick
>
>
>
>
> --
> Sent from: http://shiro-developer.582600.n2.nabble.com/
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message