New user should be optionaly auto created when using delegateAuthenticationRealm

[niv0]

Yes, not a bug but a feature :-) However, if you want to create a PR to
make the behaviour configurable, will be very happy to review.

Cheers
Dan

On Thu, 1 Dec 2016 at 15:32 Vladimir Nišević vnisevic@gmail.com wrote:

Hi, I am using security module in combination with our Active Directory:

1. Roles and delegate users (without passwords) are created in Isis
   security module
2. Authentication is done thru company Active Directory

I think, I've found an issue in this setup: As part of login procedure, if
the user doesn't exist in Isis security, it will be automatically created
as new delegate user (with Status=Disabled). This leads to potentially many
users in security module, every time when somebody e.g. mistypes the
username.

Here my shiro.ini

[main]
isisModuleSecurityRealm =
org.isisaddons.module.security.shiro.IsisModuleSecurityRealm
*authenticationStrategy =

org.isisaddons.module.security.shiro.AuthenticationStrategyForIsisModuleSecurityRealm*
securityManager.authenticator.authenticationStrategy =
$authenticationStrategy
securityManager.realms = $isisModuleSecurityRealm
isisModuleSecurityRealm.delegateAuthenticationRealm=$activeDirectoryRealm
activeDirectoryRealm =
org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
activeDirectoryRealm.searchBase =********
*activeDirectoryRealm.url = ******

I think the bug is in the class

org.isisaddons.module.security.shiro.IsisModuleSecurityRealm

line 48:

• PrincipalForApplicationUser principal = this.lookupPrincipal(username,
  this.hasDelegateAuthenticationRealm());*

it should be:

• PrincipalForApplicationUser principal = this.lookupPrincipal(username,
  false);*

Or was it on purpose to auto create new delegate user on every login
attempt?

Regards
Vladimir