Uploaded image for project: 'DSpace'
  1. DSpace
  2. DS-1088

AuthenticationManager.allowSetPassword is problematic with stacked authentication modules

    Details

    • Type: Bug
    • Status: Volunteer Needed (View Workflow)
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 1.7.2, 1.8.0, 1.8.1
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Attachments:
      0
    • Comments:
      1
    • Documentation Status:
      Needed

      Description

      This is related to DS-1007 (found in DS-994). In AthenticationManager.allowSetPassword there's a loop which goes through each authentication method in the stack, and if any of them returns true for their allowSetPassword method, the AuthenticationManager.allowSetPassword method also returns true. This creates situations where the DSpace interface implies that a user can do things such as change their LDAP or Shibboleth password. See this thread on DSpace_tech: http://dspace.2283337.n4.nabble.com/Prevent-LDAP-users-from-changing-password-tt4155171.html

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                hardyoyo Hardy Pottinger
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: