midsuit
/
core-jgi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

IDEMPIERE-3931 LDAP Users must no be able to login with AD_User password

This commit is contained in:
Carlos Ruiz 2019-03-25 16:12:32 -03:00
parent 2df5088624
commit ca2c67999d
1 changed files with 27 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
org.adempiere.base/src/org/compiere/util/Login.java
View File

@ -268,10 +268,8 @@ public class Login
authenticated = system.isLDAP(app_user, app_pwd); authenticated = system.isLDAP(app_user, app_pwd);
if (authenticated) { if (authenticated) {
app_pwd = null; app_pwd = null;
authenticated=true;
} }
// if not authenticated, use AD_User as backup - just for non-LDAP users
// if not authenticated, use AD_User as backup
} }
boolean hash_password=MSysConfig.getBooleanValue(MSysConfig.USER_PASSWORD_HASH, false); boolean hash_password=MSysConfig.getBooleanValue(MSysConfig.USER_PASSWORD_HASH, false);
@ -304,11 +302,13 @@ public class Login
// always do calculation to confuse timing based attacks // always do calculation to confuse timing based attacks
if ( user == null ) if ( user == null )
user = MUser.get(m_ctx, 0); user = MUser.get(m_ctx, 0);
if (!system.isLDAP() || Util.isEmpty(user.getLDAPUser())) {
if ( user.authenticateHash(app_pwd) ) if ( user.authenticateHash(app_pwd) )
{ {
authenticated = true; authenticated = true;
} }
} }
}
else{ else{
StringBuffer sql = new StringBuffer("SELECT AD_User.AD_User_ID ").append(" FROM AD_User "); StringBuffer sql = new StringBuffer("SELECT AD_User.AD_User_ID ").append(" FROM AD_User ");
sql.append(" WHERE ").append(userNameCol).append("=?"); sql.append(" WHERE ").append(userNameCol).append("=?");
@ -324,10 +324,11 @@ public class Login
while(rs1.next()){ while(rs1.next()){
MUser user = new MUser(m_ctx, rs1.getInt(1), null); MUser user = new MUser(m_ctx, rs1.getInt(1), null);
if (!system.isLDAP() || Util.isEmpty(user.getLDAPUser())) {
if (user.getPassword() != null && user.getPassword().equals(app_pwd)) { if (user.getPassword() != null && user.getPassword().equals(app_pwd)) {
authenticated=true; authenticated=true;
} }
}
} }
}catch (Exception ex) { }catch (Exception ex) {
@ -1278,7 +1279,10 @@ public class Login
if (system.isLDAP()) if (system.isLDAP())
{ {
authenticated = system.isLDAP(app_user, app_pwd); authenticated = system.isLDAP(app_user, app_pwd);
// if not authenticated, use AD_User as backup if (authenticated) {
app_pwd = null;
}
// if not authenticated, use AD_User as backup (just for non-LDAP users)
} }
boolean hash_password = MSysConfig.getBooleanValue(MSysConfig.USER_PASSWORD_HASH, false); boolean hash_password = MSysConfig.getBooleanValue(MSysConfig.USER_PASSWORD_HASH, false);
@ -1371,12 +1375,16 @@ public class Login
// authenticated by ldap // authenticated by ldap
if (authenticated) { if (authenticated) {
valid = true; valid = true;
} else if (hash_password) { } else {
if (!system.isLDAP() || Util.isEmpty(user.getLDAPUser())) {
if (hash_password) {
valid = user.authenticateHash(app_pwd); valid = user.authenticateHash(app_pwd);
} else { } else {
// password not hashed // password not hashed
valid = user.getPassword() != null && user.getPassword().equals(app_pwd); valid = user.getPassword() != null && user.getPassword().equals(app_pwd);
} }
}
}
if (valid ) { if (valid ) {
if (user.isLocked()) if (user.isLocked())