jackrabbit-oak-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Julian Reschke (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (OAK-4397) DefaultSyncContext.syncMembership may sync group of a foreign IDP
Date Fri, 03 Nov 2017 13:43:00 GMT

    [ https://issues.apache.org/jira/browse/OAK-4397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16237597#comment-16237597

Julian Reschke edited comment on OAK-4397 at 11/3/17 1:42 PM:

trunk: [r1745336|http://svn.apache.org/r1745336]
1.4: [r1757697|http://svn.apache.org/r1757697]

was (Author: reschke):
trunk: [r1745336|http://svn.apache.org/r1745336]

> DefaultSyncContext.syncMembership may sync group of a foreign IDP
> -----------------------------------------------------------------
>                 Key: OAK-4397
>                 URL: https://issues.apache.org/jira/browse/OAK-4397
>             Project: Jackrabbit Oak
>          Issue Type: Bug
>          Components: auth-external
>            Reporter: angela
>            Assignee: angela
>            Priority: Critical
>              Labels: security
>             Fix For: 1.4.7, 1.5.3, 1.6.0
> With the following scenario the {{DefaultSyncContext.syncMembership}} may end up synchronizing
(i.e. updating) a group defined by an foreign IDP and even add the user to be synchronized
as a new member:
> - configuration with different IDPs
> - foreign IDP synchronizes a given external group 'groupA' => rep:externalID points
to foreign-IDP (e.g. rep:externalId = 'groupA;foreignIDP')
> - my-IDP contains a group with the same ID (but obviously with a different rep:externalID)
and user that has declared group membership pointing to 'groupA' from my IDP
> if synchronizing my user first the groupA will be created with a rep:externalId = 'groupA;myIDP'.
> however, if the group has been synced before by the foreignIDP the code fails to verify
that an existing group 'groupA' really belongs to the same IDP and thus may end up synchronizing
the group and updating it's members.
> IMHO that's a critical issue as it violates the IDP boundaries.
> the fix is pretty trivial as it only requires testing for the IDP of the existing group
as we do it in other places (even in the same method).

This message was sent by Atlassian JIRA

View raw message