Uploaded image for project: 'Hippo CMS'
  1. Hippo CMS
  2. CMS-12761

SecurityServiceImpl does not use non-internal user/group provider (e.g. LDAP)

    XMLWordPrintable

Details

    • Bug
    • Status: Open
    • Normal
    • Resolution: Unresolved
    • 13.4.2
    • None
    • repository
    • None
    • Flagged
    • Orion
    • BrXM Backlog

    Description

      The security service implementation org.hippoecm.repository.security.service.SecurityServiceImpl uses the internal user manager and group manager directly in #hasUser, #getUser, #hasGroup and #getGroup methods.

      This is a problem when having installed the LDAP addon [1], specifically when the
      hipposys:dirlevels property of the LDAP user provider > 0, see [2].

      ERROR stack trace logged
      Since 13.0.0, see CHANNELMGR-2212, the channel manager uses the security service to look up the user's first and last name. When logging into the CMS as LDAP-based user a very long stack trace is logged:

      INFO 18.02.2020 11:06:11 ERROR http-nio-8080-exec-9 [ChannelEditor.setUserData:221] Unable to retrieve information of user 'p0023456'.
INFO javax.jcr.ItemNotFoundException: No such user: p0023456
INFO    at org.hippoecm.repository.security.service.SecurityServiceImpl.getUser(SecurityServiceImpl.java:69) ~[hippo-repository-engine-13.4.1.jar:13.4.1]
INFO    at org.onehippo.cms7.channelmanager.channeleditor.ChannelEditor.setUserData(ChannelEditor.java:217) [hippo-addon-channel-manager-frontend-13.4.1.jar:13.4.1]
INFO    at org.onehippo.cms7.channelmanager.channeleditor.ChannelEditor.<init>(ChannelEditor.java:174) [hippo-addon-channel-manager-frontend-13.4.1.jar:13.4.1]
INFO    at org.onehippo.cms7.channelmanager.RootPanel.<init>(RootPanel.java:138) [hippo-addon-channel-manager-frontend-13.4.1.jar:13.4.1]
INFO    at org.onehippo.cms7.channelmanager.ChannelManagerPerspective.<init>(ChannelManagerPerspective.java:55) [hippo-addon-channel-manager-frontend-13.4.1.jar:13.4.1] 

... 70+ lines more!

      No Open UI data
      Besides the stack trace, these Open UI data [3] are probably empty:

      ui.user.firstName
ui.user.lastName
ui.user.displayName

      Analysis

      • the LDAP user manager with dirlevels=2 stores user p0023456 at /hippo:configuration/hippo:users/p/0/p0023456
      • SecurityServiceImpl#getUser uses the internal user manager which looks at path /hippo:configuration/hippo:users/p0023456 in AbstractUserManager#getUser.

      [1] https://documentation.bloomreach.com/library/enterprise/enterprise-features/ldap-security-provider/ldap-addon.html
      [2] https://documentation.bloomreach.com/library/concepts/security/security-management-configuration.html
      [3] https://documentation.bloomreach.com/library/concepts/open-ui/open-ui-extension-client-library.html

      Attachments

        Issue Links

          is a result of

          Improvement - An improvement or enhancement to an existing feature or task. CHANNELMGR-2212 Make full user name available to UI extension

          • Normal - Normal priority, tasks to be done before next intermediate release
          • Closed
          mentioned in

          Page Loading...

          Activity

            People

              Unassigned Unassigned
              jhoffman Jeroen Hoffman
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated: