LTI user provider may allow LMS admins to become Opencast admins

Steps to reproduce

Matthias Neugebauer
AttachmentsApr 17 (3 days ago)
to security

The LTI documentation currently reads:

To give LMS users the same username in Opencast as the LMS username, uncomment the constructor arguments below and update CONSUMERKEY to the same key used above:

We use Opencast in this configuration so that the role provider can load additional roles. I have read the LTI
authentication code multiple times, but it never occurred to me that Opencast trusts the provided username
even for users like admin or opencast_system_account. I know that this a configuration problem, but in my
opinion it is quite surprising that the LMS admin could become the Opencast admin through LTI.

The attached patch adds an additional String parameter to the LtiLaunchAuthenticationHandler, which contains
an RegEx. Usernames that match will be rewritten like in the untrusted LTI configuration. The patch configures
admin and opencast_system_account to be in that expression by default.

Best regards
Matthias Neugebauer

Matthias Neugebauer
Westfälische Wilhelms-Universität
Leonardo-Campus 3 - Raum 334
48149 Münster
Telefon: +49 251 83-38268


Matthias Neugebauer
August 14, 2018, 11:08 AM

See MH-13034.

Fixed and reviewed
Your pinned fields
Click on the next to a field label to start pinning.


Greg Logan


Matthias Neugebauer