[JAVA-2462] Unauthenticated LDAP user gaining db access Created: 07/Mar/17  Updated: 07/Mar/17  Resolved: 07/Mar/17

Status: Closed
Project: Java Driver
Component/s: Authentication
Affects Version/s: 3.2.1
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Mitchell Arnett Assignee: Unassigned
Resolution: Duplicate Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

OSX 10.11.16, mongodb-driver (3.2.1), mongodb-driver-core (3.2.1), bson (3.2.1), java version "1.8.0_112", Java(TM) SE Runtime Environment (build 1.8.0_112-b16), Java HotSpot(TM) 64-Bit Server VM (build 25.112-b16, mixed mode)



 Description   

While testing a program that instantiates a MongoClient instance for the user a came across the following:

1) the MongoClient does not perform any authentication when being created
2) authentication occurs when a command is being executed on the MongoClient

I want to check if provided credentials are valid before returning the MongoClient to the user, so I began testing to see what command would throw an exception if the credentials were incorrect.

During one of my tests I observed the following:
1) a MongoClient that was created with invalid credentials was capable of connecting to our db, listing out the collections, and listing out the documents within those collections.

this MongoClient is being instantiated with a MongoClientURI which contains the username and password. The users are authenticated using LDAP.



 Comments   
Comment by Mitchell Arnett [ 07/Mar/17 ]

this is an accidental duplicate of JAVA-2461

Generated at Thu Feb 08 08:57:17 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.