Using the LdapLoginModule, supplying an empty password for a user causes
an anonymous bind to happen. This is documented in the JNDI
documentation here
http://java.sun.com/products/jndi/tutorial/ldap/faq/context.html.
Read the section [ Why does the LDAP provider ignore my security
environment properties if I do not set the Context.SECURITY_CREDENTIALS
("java.naming.security.credentials") property or set it to the empty
string? ] . Supplying an empty string as the credentials causes the
context to set the SECURITY_AUTHENTICATION property to "none" and then
does an anon bind.
If your Ldap server is set to except anon connections this is a problem
for the LdapLoginModule. Supplying the empty password does not cause an
exception to be thrown and the uid and the roles for that uid are passed
back.
Here is the patch for this as well. The only thing that needed to be
changed in the method was to check to make sure the password is not an
empty string as well as null.
protected boolean validatePassword(String inputPassword, String
expectedPassword)
{
boolean isValid = false;
if( inputPassword != null && !inputPassword.equals(""))
{
try
{
// Validate the password by trying to create an initial
context
String username = getUsername();
createLdapInitContext(username, inputPassword);
isValid = true;
}
catch(NamingException e)
{
super.log.error("Failed to validate password", e);
}
}
return isValid;
}
Rob Dingwell
begin:vcard
n:Dingwell;Robert
tel;work:781-271-2829
x-mozilla-html:FALSE
org:Mitre Corp.
adr:;;;;;;
version:2.1
email;internet:[EMAIL PROTECTED]
fn:Robert Dingwell
end:vcard
