I don't see the problem. If your ldap server allows an anonymous bind and empty password is a valid input. If it does not then authentication will fail.
xxxxxxxxxxxxxxxxxxxxxxxx Scott Stark Chief Technology Officer JBoss Group, LLC xxxxxxxxxxxxxxxxxxxxxxxx ----- Original Message ----- From: "Robert Dingwell" <[EMAIL PROTECTED]> To: "jboss-development_list" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Tuesday, September 10, 2002 2:34 PM Subject: [JBoss-dev] LdapLoginModule Bug: Problem with empty passwords > Using the LdapLoginModule, supplying an empty password for a user causes > an anonymous bind to happen. This is documented in the JNDI > documentation here > http://java.sun.com/products/jndi/tutorial/ldap/faq/context.html. > > Read the section [ Why does the LDAP provider ignore my security > environment properties if I do not set the Context.SECURITY_CREDENTIALS > ("java.naming.security.credentials") property or set it to the empty > string? ] . Supplying an empty string as the credentials causes the > context to set the SECURITY_AUTHENTICATION property to "none" and then > does an anon bind. > > If your Ldap server is set to except anon connections this is a problem > for the LdapLoginModule. Supplying the empty password does not cause an > exception to be thrown and the uid and the roles for that uid are passed > back. > > Here is the patch for this as well. The only thing that needed to be > changed in the method was to check to make sure the password is not an > empty string as well as null. > > protected boolean validatePassword(String inputPassword, String > expectedPassword) > { > boolean isValid = false; > if( inputPassword != null && !inputPassword.equals("")) > { > try > { > // Validate the password by trying to create an initial > context > String username = getUsername(); > createLdapInitContext(username, inputPassword); > isValid = true; > } > catch(NamingException e) > { > super.log.error("Failed to validate password", e); > } > } > return isValid; > } > > > > Rob Dingwell > > ------------------------------------------------------- In remembrance www.osdn.com/911/ _______________________________________________ Jboss-development mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-development
