Camunda authorization checks are case-sensative whereas login is not?

[Melissa Palmer]

Hi 

We are having an issue that logins via LDAP are case-insensitive, however the camunda authorization checks are not. 

For example I can login successfully with either MelissP or melissp .... and these are one user on LDAP. However within the camunda apps they are treated as two different people. eg: we've authorized MelissP to have access to everything. But when logging in with melissp you don't get this access. 

We are using tomcat with MySQL is there any config setup which should have been done to stop the above from happening? 

Thanks

Melissa

[Daniel Meyer]

Hi Melissa,

interesting feedback. We could enforce usernames to be lowercase, I guess... I am not sure though whether there are systems where this is not the desired behavior or may lead to problems. 

Or it could be a configuration option so that users can turn it on / off depending on their requirements.

However I currently do not see this on the roadmap any time soon, unless we get some more feedback on this or a community contribution.

Regards,

Daniel

[Melissa Palmer]

Hi Daniel

Thanks for the feedback. I wouldn't necessarily suggest enforcing usernames to be lowercase or uppercase but rather allowing them to be cause insensitive. Treating 'MelissP' and 'melissp' as two different people, in terms of authorizations but not authentication is currently causing us issues. 

I have done some investigation as to where/how we might be able to offer case-insensitive authorization option as you suggest however am getting stuck. Some pointers in the right direction would be appreciated..... if I get this correct I can definitely try submit as a community contribution.

Options/Investigation done thus far

1) Current "Hack" = changing the JavaScript within each camunda app to enforce either uppper/lowercase usernames. Change JS around the login calls to something that include angular.upper() eg: 

$scope.login = function () {

      AuthenticationService

        .login(angular.lowercase($scope.username), $scope.password)

        .then(function() {

          Notifications.clearAll();

        })

        .catch(function() {

          Notifications.addError({

            status: 'Login Failed',

            message: 'Wrong credentials or missing access rights to application',

            scope: $scope

          });

        });

    };

  }];

I am not liking the above solution... as with new releases from Camunda this could be problematic and its really not solving the underlying issue. 

2) I see that the "problem" lies within the Camunda authentication query within 'Authorization.xml' in that where clauses seems to be an exact match to username "A.USER_ID_ = #{authUserId, jdbcType=VARCHAR}"   [please remember I am not familiar at all with MyBartis so could be incorrect here.] 

At the same time.... if we could overried the function isAuthorized() of AuthenticationManager that may help.. 

3) Is there some what when implementing your own engine plugin to override the authentication check similar to the current password check? I don't believe this is currently possibly... or if it would make much sense. 

4) Ideally there is a better solution to all of my above suggestions as I don't believe any of these are great. Pointers in this direction would really help. 

Thank You in advance

Melissa

[frot...@gmail.com]

@Daniel
Here some more feedback ;-)

I agree with Melissa.
We running into the same problems with Windows authentication, which is not case sensitive.

A configuration option would help us. As a workaround in test and development environment we modify Windows login to lower case. But this is no suitable option for production.

Best Regards
Jan

[Daniel Meyer]

Thank you.

Is there already a JIRA issue for this?

Daniel

[frot...@gmail.com]

Hi Daniel,

I don't know. Also I don't have access to JIRA.

Could you please create one?

Thanks
Jan

[Daniel Meyer]

Hi Jan,

our Jira is open to the public. Anyone can create issues or comment on issues:

https://app.camunda.com/jira

You need to create an account.

The issue does not seem to exist yet:

https://app.camunda.com/jira/issues/?jql=project%20%3D%20CAM%20AND%20status%20%3D%20Open%20AND%20text%20~%20%22ldap%22

Daniel

[Melissa Palmer]

Hi 

I have created the following Jira for this: https://app.camunda.com/jira/browse/CAM-3812 

Thanks

Melissa

[Daniel Meyer]

Thanks Melissa