32af9610dd
The cache provides a get method with a callable to load the value into the cache. Our callable performs authentication and then returns a value. The issue with this is that the cache will queue concurrent calls if a value is already being loaded and return the result to all callers. This is problematic since the key is only the username and we do not validate the credentials as part of the get call. This means it is possible for valid credentials to be returned a null user and authentication fails. Additionally, another variant exists where it is possible for invalid credentials to be returned a valid user, which allows an attacker to gain access by only knowing a username and issuing a large number of concurrent requests. Closes elastic/elasticsearch#860 Original commit: elastic/x-pack-elasticsearch@3d122d3bbb |
||
|---|---|---|
| .. | ||
| bin/shield | ||
| config/shield | ||
| dev-tools | ||
| docs | ||
| src | ||
| LICENSE.txt | ||
| NOTICE.txt | ||
| README.asciidoc | ||
| TESTING.asciidoc | ||
| pom.xml | ||
| test-signatures.txt | ||
README.asciidoc
= Elasticsearch Security Plugin This plugins adds security features to elasticsearch You can build the plugin with `mvn package`. The documentation is put in the `docs/` directory.