SEC-2897: ActiveDirectoryLdapAuthenticationProvider uses bindPrincipal

11 years ago · 3adbf53502
2 changed files with 31 additions and 1 deletions
--- a/ldap/src/main/java/org/springframework/security/ldap/authentication/ad/ActiveDirectoryLdapAuthenticationProvider.java
+++ b/ldap/src/main/java/org/springframework/security/ldap/authentication/ad/ActiveDirectoryLdapAuthenticationProvider.java
@ -285,7 +285,7 @@ public final class ActiveDirectoryLdapAuthenticationProvider extends AbstractLda
				@@ -285,7 +285,7 @@ public final class ActiveDirectoryLdapAuthenticationProvider extends AbstractLda

        try {
            return SpringSecurityLdapTemplate.searchForSingleEntryInternal(context, searchControls,
-                    searchRoot, searchFilter, new Object[]{username});
+                    searchRoot, searchFilter, new Object[]{bindPrincipal});
        } catch (IncorrectResultSizeDataAccessException incorrectResults) {
            // Search should never return multiple results if properly configured - just rethrow
            if (incorrectResults.getActualSize() != 0) {
--- a/ldap/src/test/java/org/springframework/security/ldap/authentication/ad/ActiveDirectoryLdapAuthenticationProviderTests.java
+++ b/ldap/src/test/java/org/springframework/security/ldap/authentication/ad/ActiveDirectoryLdapAuthenticationProviderTests.java
@ -21,6 +21,7 @@ import org.junit.Before;
				@@ -21,6 +21,7 @@ import org.junit.Before;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.rules.ExpectedException;
+import org.mockito.ArgumentCaptor;
 import org.springframework.dao.IncorrectResultSizeDataAccessException;
 import org.springframework.ldap.core.DirContextAdapter;
 import org.springframework.ldap.core.DistinguishedName;
@ -41,8 +42,10 @@ import javax.naming.NamingException;
				@@ -41,8 +42,10 @@ import javax.naming.NamingException;
 import javax.naming.directory.DirContext;
 import javax.naming.directory.SearchControls;
 import javax.naming.directory.SearchResult;
+
 import java.util.Hashtable;

+import static org.fest.assertions.Assertions.assertThat;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
@ -127,6 +130,33 @@ public class ActiveDirectoryLdapAuthenticationProviderTests {
				@@ -127,6 +130,33 @@ public class ActiveDirectoryLdapAuthenticationProviderTests {
        verify(ctx).search(any(DistinguishedName.class), eq(defaultSearchFilter), any(Object[].class), any(SearchControls.class));
    }

+    // SEC-2897
+    @Test
+    public void bindPrincipalUsed() throws Exception {
+        //given
+        final String defaultSearchFilter = "(&(objectClass=user)(userPrincipalName={0}))";
+        ArgumentCaptor<Object[]> captor = ArgumentCaptor.forClass(Object[].class);
+
+        DirContext ctx = mock(DirContext.class);
+        when(ctx.getNameInNamespace()).thenReturn("");
+
+        DirContextAdapter dca = new DirContextAdapter();
+        SearchResult sr = new SearchResult("CN=Joe Jannsen,CN=Users", dca, dca.getAttributes());
+        when(ctx.search(any(Name.class), eq(defaultSearchFilter), captor.capture(), any(SearchControls.class)))
+                .thenReturn(new MockNamingEnumeration(sr));
+
+        ActiveDirectoryLdapAuthenticationProvider customProvider
+                = new ActiveDirectoryLdapAuthenticationProvider("mydomain.eu", "ldap://192.168.1.200/");
+        customProvider.contextFactory = createContextFactoryReturning(ctx);
+
+        //when
+        Authentication result = customProvider.authenticate(joe);
+
+        //then
+        assertThat(captor.getValue()).containsOnly("joe@mydomain.eu");
+        assertTrue(result.isAuthenticated());
+    }
+
    @Test(expected = IllegalArgumentException.class)
    public void setSearchFilterNull() {
        provider.setSearchFilter(null);