midsuit
/
core-jgi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

IDEMPIERE-3931 LDAP Users must no be able to login with AD_User password

This commit is contained in:
Carlos Ruiz 2019-03-25 16:12:32 -03:00
parent 2df5088624
commit ca2c67999d
1 changed files with 27 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
org.adempiere.base/src/org/compiere/util/Login.java
View File

@ -266,12 +266,10 @@ public class Login
if (system.isLDAP()) if (system.isLDAP())
{ {
authenticated = system.isLDAP(app_user, app_pwd); authenticated = system.isLDAP(app_user, app_pwd);
if (authenticated){ if (authenticated) {
app_pwd = null; app_pwd = null;
authenticated=true;
} }
// if not authenticated, use AD_User as backup - just for non-LDAP users
// if not authenticated, use AD_User as backup
} }
boolean hash_password=MSysConfig.getBooleanValue(MSysConfig.USER_PASSWORD_HASH, false); boolean hash_password=MSysConfig.getBooleanValue(MSysConfig.USER_PASSWORD_HASH, false);
@ -304,9 +302,11 @@ public class Login
// always do calculation to confuse timing based attacks // always do calculation to confuse timing based attacks
if ( user == null ) if ( user == null )
user = MUser.get(m_ctx, 0); user = MUser.get(m_ctx, 0);
if ( user.authenticateHash(app_pwd) ) if (!system.isLDAP() || Util.isEmpty(user.getLDAPUser())) {
{ if ( user.authenticateHash(app_pwd) )
authenticated = true; {
authenticated = true;
}
} }
} }
else{ else{
@ -324,10 +324,11 @@ public class Login
while(rs1.next()){ while(rs1.next()){
MUser user = new MUser(m_ctx, rs1.getInt(1), null); MUser user = new MUser(m_ctx, rs1.getInt(1), null);
if (user.getPassword() != null && user.getPassword().equals(app_pwd)) { if (!system.isLDAP() || Util.isEmpty(user.getLDAPUser())) {
authenticated=true; if (user.getPassword() != null && user.getPassword().equals(app_pwd)) {
authenticated=true;
}
} }
} }
}catch (Exception ex) { }catch (Exception ex) {
@ -1277,8 +1278,11 @@ public class Login
if (system.isLDAP()) if (system.isLDAP())
{ {
authenticated = system.isLDAP(app_user, app_pwd); authenticated = system.isLDAP(app_user, app_pwd);
// if not authenticated, use AD_User as backup if (authenticated) {
app_pwd = null;
}
// if not authenticated, use AD_User as backup (just for non-LDAP users)
} }
boolean hash_password = MSysConfig.getBooleanValue(MSysConfig.USER_PASSWORD_HASH, false); boolean hash_password = MSysConfig.getBooleanValue(MSysConfig.USER_PASSWORD_HASH, false);
@ -1369,16 +1373,20 @@ public class Login
clientsValidated.add(user.getAD_Client_ID()); clientsValidated.add(user.getAD_Client_ID());
boolean valid = false; boolean valid = false;
// authenticated by ldap // authenticated by ldap
if (authenticated){ if (authenticated) {
valid = true; valid = true;
} else if (hash_password) {
valid = user.authenticateHash(app_pwd);
} else { } else {
// password not hashed if (!system.isLDAP() || Util.isEmpty(user.getLDAPUser())) {
valid = user.getPassword() != null && user.getPassword().equals(app_pwd); if (hash_password) {
} valid = user.authenticateHash(app_pwd);
} else {
// password not hashed
valid = user.getPassword() != null && user.getPassword().equals(app_pwd);
}
}
}
if (valid ) { if (valid ) {
if (user.isLocked()) if (user.isLocked())
{ {
validButLocked = true; validButLocked = true;