Bugs item #627405, was opened at 2002-10-23 04:51
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=376685&aid=627405&group_id=22866
Category: JBossSX
Group: None
>Status: Closed
>Resolution: Invalid
Priority: 5
Submitted By: Erik Konijnenburg (konijnenburg)
Assigned to: Scott M Stark (starksm)
Summary: LdapLoginModule accepts empty password
Initial Comment:
Hi there,
When i login on my web site (i am using forms) using
the LdapLoginModule I don't have to supply a password
to login The LDAP server (netscape directory server
4.12) seems to allow for anonymous authentication.
Using the right password authenticates the user, using a
wrong password (except empty) doesnot.
<application-policy name = "LDAPRealm">
<authentication>
<login-module code
= "org.jboss.security.auth.spi.LdapLoginModule" flag
= "required">
<module-option
name="java.naming.factory.initial">com.sun.jndi.ldap.Lda
pCtxFactory</module-option>
<module-option
name="java.naming.provider.url">ldap://NLRTMWS001:3
89/</module-option>
<module-option
name="java.naming.security.authentication">simple</mo
dule-option>
<module-option
name="principalDNPrefix">cn=</module-option>
<module-option
name="principalDNSuffix">,cn=basic,cn=Signons,cn=def
ault,cn=Authentication Data,o=sdfsadf,c=NL</module-
option>
<!-- <module-option
name="userRolesCtxDNAttributeName">authid</module-
option> -->
<module-option
name="uidAttributeID">authbasicsignonlist</module-
option>
<module-option
name="roleAttributeID">authuserclasslist</module-
option>
<module-option
name="rolesCtxDN">cn=Users,cn=default,cn=Authentic
ation Data,o=vopakwst,c=nl</module-option>
<!-- <module-option
name="hashAlgorithm">SHA-1</module-option>
<module-option
name="hashEncoding">base64</module-option> -->
</login-module>
</authentication>
</application-policy>
----------------------------------------------------------------------
>Comment By: Scott M Stark (starksm)
Date: 2002-10-27 19:54
Message:
Logged In: YES
user_id=175228
This is an ldap server configuration issue. If you don't want
anonymous bindings why allow it? I will add an option flag to
treat empty passwords as null passwords in the event that
the default ldap admin policy for anonymous users conflicts
with a particular application usage, but this will default to true.
----------------------------------------------------------------------
Comment By: Erik Konijnenburg (konijnenburg)
Date: 2002-10-23 05:27
Message:
Logged In: YES
user_id=522939
A possible patch is:
protected boolean validatePassword(String inputPassword,
String expectedPassword)
{
boolean isValid = false;
if( inputPassword != null && inputPassword.length() > 0 )
{
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Even better make this an option
----------------------------------------------------------------------
Comment By: Erik Konijnenburg (konijnenburg)
Date: 2002-10-23 05:26
Message:
Logged In: YES
user_id=522939
A possible patch is:
protected boolean validatePassword(String inputPassword,
String expectedPassword)
{
boolean isValid = false;
if( inputPassword != null && inputPassword.length() > 0 )
{
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Even better make this an option
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=376685&aid=627405&group_id=22866
-------------------------------------------------------
This SF.net email is sponsored by: ApacheCon, November 18-21 in
Las Vegas (supported by COMDEX), the only Apache event to be
fully supported by the ASF. http://www.apachecon.com
_______________________________________________
Jboss-development mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-development
