Grouper Developers Forum

[dan <>]

And while I'm at it - does anyone else consider it a security flaw that Grouper naively interpolates the string into a query? In my experience this has been one of the BIG no-nos of web application development.

One could easily type a query that closes the open brace around a search term and inserts additional terms into queries that expose additional information or breaks the system in other ways.

Isn't there a more standardised way to template JNDI queries without exposing security problems, just like PrepareStatement in JDBC?

Just stoking the fires of controversy ;-)

Dan

On 1/24/07, dan <> wrote:

Hi there,

I'm using the JNDISourceAdapter to connect Grouper to our OpenLDAP users directory. There was a time when searching worked fine, but now all of a sudden it doesn't, but just for searches other than uidNumber.

That is to say, if I click "Search Subjects" in the interface, and type "joe", knowing full well there IS a user with uid=joe, I don't get anything back. If I type "1000" (joe has a uidNumber of 1000), it works.

Our search entry looks like this:

 <search>
       <searchType>search</searchType>
         <param>
            <param-name>filter</param-name>
            <param-value>
                (&amp; (|(uid=%TERM%)(uidNumber=%TERM%)(cn=*%TERM%*))(objectclass=posixAccount))
            </param-value>
        </param>
        <param>
            <param-name>scope</param-name>
            <param-value>
                SUBTREE_SCOPE           
            </param-value>
        </param>
         <param>
            <param-name>base</param-name>
            <param-value>
                ou=People,dc=research,dc=editure,dc=com
            </param-value>
        </param>
    </search>


Help! Does anyone know what's going on? This is with Grouper 1.1.

Thanks,
Dan