Shiro backdoor

classic Classic list List threaded Threaded
3 messages Options
P82
Reply | Threaded
Open this post in threaded view
|

Shiro backdoor

P82
Hi all,
 
I have a a system, that can be accessed by web interface (http servlet) and
by CLI.
 
In my application I have a superuser with loginname and password. When
someone wants to use system by web as a superuser he must
provide superuser loginname and password. This case Shiro web filter is
used and everything is ok →I have subject.login(...), subject.logout() etc.
So, everything is clear here.
 
However, when someone uses application by CLI he needs towork as superuser
without providing loginname and password (by CLI it is possible to reset superuser
loginname and password). So, I need to log superuser in without loginname and
password. Could anyone say how it can be done in Shiro? I mean I have a User
object and I need to authenticate it in shiro without loginname and password.
 
Best regards, Alex
 
Reply | Threaded
Open this post in threaded view
|

Re: Shiro backdoor

lprimak
That’s really dangerous.
I would suggest something like client certificate authentication in web browsers to do this job

> On May 15, 2020, at 1:08 PM, Alex Sviridov <[hidden email]> wrote:
>
> Hi all,
>
> I have a a system, that can be accessed by web interface (http servlet) and
> by CLI.
>
> In my application I have a superuser with loginname and password. When
> someone wants to use system by web as a superuser he must
> provide superuser loginname and password. This case Shiro web filter is
> used and everything is ok →I have subject.login(...), subject.logout() etc.
> So, everything is clear here.
>
> However, when someone uses application by CLI he needs towork as superuser
> without providing loginname and password (by CLI it is possible to reset superuser
> loginname and password). So, I need to log superuser in without loginname and
> password. Could anyone say how it can be done in Shiro? I mean I have a User
> object and I need to authenticate it in shiro without loginname and password.
>
> Best regards, Alex
>

Reply | Threaded
Open this post in threaded view
|

Re: Shiro backdoor

Benjamin Marwell
Yes exactly. You should replace "no authentication" with "hidden
authentication".
For example:
You can use a second realm for this which knows the public part of the
certificate. The client could be configured to automatically pass the
corresponding private certificate.

Am Fr., 15. Mai 2020 um 20:34 Uhr schrieb Lenny Primak <[hidden email]>:

>
> That’s really dangerous.
> I would suggest something like client certificate authentication in web browsers to do this job
>
> > On May 15, 2020, at 1:08 PM, Alex Sviridov <[hidden email]> wrote:
> >
> > Hi all,
> >
> > I have a a system, that can be accessed by web interface (http servlet) and
> > by CLI.
> >
> > In my application I have a superuser with loginname and password. When
> > someone wants to use system by web as a superuser he must
> > provide superuser loginname and password. This case Shiro web filter is
> > used and everything is ok →I have subject.login(...), subject.logout() etc.
> > So, everything is clear here.
> >
> > However, when someone uses application by CLI he needs towork as superuser
> > without providing loginname and password (by CLI it is possible to reset superuser
> > loginname and password). So, I need to log superuser in without loginname and
> > password. Could anyone say how it can be done in Shiro? I mean I have a User
> > object and I need to authenticate it in shiro without loginname and password.
> >
> > Best regards, Alex
> >
>