From fe82c8ab4c46b954675f4ec73cc3532db636d5c1 Mon Sep 17 00:00:00 2001 From: Rob Winch Date: Tue, 10 Mar 2015 16:33:48 -0500 Subject: [PATCH] SEC-2897: ActiveDirectoryLdapAuthenticationProvider uses bindPrincipal --- ...veDirectoryLdapAuthenticationProvider.java | 2 +- ...ectoryLdapAuthenticationProviderTests.java | 30 +++++++++++++++++++ 2 files changed, 31 insertions(+), 1 deletion(-) diff --git a/ldap/src/main/java/org/springframework/security/ldap/authentication/ad/ActiveDirectoryLdapAuthenticationProvider.java b/ldap/src/main/java/org/springframework/security/ldap/authentication/ad/ActiveDirectoryLdapAuthenticationProvider.java index 6a26c2a896..9e7d7bdeb7 100644 --- a/ldap/src/main/java/org/springframework/security/ldap/authentication/ad/ActiveDirectoryLdapAuthenticationProvider.java +++ b/ldap/src/main/java/org/springframework/security/ldap/authentication/ad/ActiveDirectoryLdapAuthenticationProvider.java @@ -273,7 +273,7 @@ public final class ActiveDirectoryLdapAuthenticationProvider extends AbstractLda try { return SpringSecurityLdapTemplate.searchForSingleEntryInternal(context, searchControls, - searchRoot, searchFilter, new Object[]{username}); + searchRoot, searchFilter, new Object[]{bindPrincipal}); } catch (IncorrectResultSizeDataAccessException incorrectResults) { // Search should never return multiple results if properly configured - just rethrow if (incorrectResults.getActualSize() != 0) { diff --git a/ldap/src/test/java/org/springframework/security/ldap/authentication/ad/ActiveDirectoryLdapAuthenticationProviderTests.java b/ldap/src/test/java/org/springframework/security/ldap/authentication/ad/ActiveDirectoryLdapAuthenticationProviderTests.java index 11935f28ae..77719ed1ae 100644 --- a/ldap/src/test/java/org/springframework/security/ldap/authentication/ad/ActiveDirectoryLdapAuthenticationProviderTests.java +++ b/ldap/src/test/java/org/springframework/security/ldap/authentication/ad/ActiveDirectoryLdapAuthenticationProviderTests.java @@ -21,6 +21,7 @@ import org.junit.Before; import org.junit.Rule; import org.junit.Test; import org.junit.rules.ExpectedException; +import org.mockito.ArgumentCaptor; import org.springframework.dao.IncorrectResultSizeDataAccessException; import org.springframework.ldap.core.DirContextAdapter; import org.springframework.ldap.core.DistinguishedName; @@ -41,8 +42,10 @@ import javax.naming.NamingException; import javax.naming.directory.DirContext; import javax.naming.directory.SearchControls; import javax.naming.directory.SearchResult; + import java.util.Hashtable; +import static org.fest.assertions.Assertions.assertThat; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertTrue; import static org.junit.Assert.fail; @@ -146,6 +149,33 @@ public class ActiveDirectoryLdapAuthenticationProviderTests { verify(ctx).search(any(DistinguishedName.class), eq(defaultSearchFilter), any(Object[].class), any(SearchControls.class)); } + // SEC-2897 + @Test + public void bindPrincipalUsed() throws Exception { + //given + final String defaultSearchFilter = "(&(objectClass=user)(userPrincipalName={0}))"; + ArgumentCaptor captor = ArgumentCaptor.forClass(Object[].class); + + DirContext ctx = mock(DirContext.class); + when(ctx.getNameInNamespace()).thenReturn(""); + + DirContextAdapter dca = new DirContextAdapter(); + SearchResult sr = new SearchResult("CN=Joe Jannsen,CN=Users", dca, dca.getAttributes()); + when(ctx.search(any(Name.class), eq(defaultSearchFilter), captor.capture(), any(SearchControls.class))) + .thenReturn(new MockNamingEnumeration(sr)); + + ActiveDirectoryLdapAuthenticationProvider customProvider + = new ActiveDirectoryLdapAuthenticationProvider("mydomain.eu", "ldap://192.168.1.200/"); + customProvider.contextFactory = createContextFactoryReturning(ctx); + + //when + Authentication result = customProvider.authenticate(joe); + + //then + assertThat(captor.getValue()).containsOnly("joe@mydomain.eu"); + assertTrue(result.isAuthenticated()); + } + @Test(expected = IllegalArgumentException.class) public void setSearchFilterNull() { provider.setSearchFilter(null);