Bugs item #627405, was opened at 2002-10-23 04:51 You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=376685&aid=627405&group_id=22866
Category: JBossSX Group: None >Status: Closed >Resolution: Invalid Priority: 5 Submitted By: Erik Konijnenburg (konijnenburg) Assigned to: Scott M Stark (starksm) Summary: LdapLoginModule accepts empty password Initial Comment: Hi there, When i login on my web site (i am using forms) using the LdapLoginModule I don't have to supply a password to login The LDAP server (netscape directory server 4.12) seems to allow for anonymous authentication. Using the right password authenticates the user, using a wrong password (except empty) doesnot. <application-policy name = "LDAPRealm"> <authentication> <login-module code = "org.jboss.security.auth.spi.LdapLoginModule" flag = "required"> <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.Lda pCtxFactory</module-option> <module-option name="java.naming.provider.url">ldap://NLRTMWS001:3 89/</module-option> <module-option name="java.naming.security.authentication">simple</mo dule-option> <module-option name="principalDNPrefix">cn=</module-option> <module-option name="principalDNSuffix">,cn=basic,cn=Signons,cn=def ault,cn=Authentication Data,o=sdfsadf,c=NL</module- option> <!-- <module-option name="userRolesCtxDNAttributeName">authid</module- option> --> <module-option name="uidAttributeID">authbasicsignonlist</module- option> <module-option name="roleAttributeID">authuserclasslist</module- option> <module-option name="rolesCtxDN">cn=Users,cn=default,cn=Authentic ation Data,o=vopakwst,c=nl</module-option> <!-- <module-option name="hashAlgorithm">SHA-1</module-option> <module-option name="hashEncoding">base64</module-option> --> </login-module> </authentication> </application-policy> ---------------------------------------------------------------------- >Comment By: Scott M Stark (starksm) Date: 2002-10-27 19:54 Message: Logged In: YES user_id=175228 This is an ldap server configuration issue. If you don't want anonymous bindings why allow it? I will add an option flag to treat empty passwords as null passwords in the event that the default ldap admin policy for anonymous users conflicts with a particular application usage, but this will default to true. ---------------------------------------------------------------------- Comment By: Erik Konijnenburg (konijnenburg) Date: 2002-10-23 05:27 Message: Logged In: YES user_id=522939 A possible patch is: protected boolean validatePassword(String inputPassword, String expectedPassword) { boolean isValid = false; if( inputPassword != null && inputPassword.length() > 0 ) { ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Even better make this an option ---------------------------------------------------------------------- Comment By: Erik Konijnenburg (konijnenburg) Date: 2002-10-23 05:26 Message: Logged In: YES user_id=522939 A possible patch is: protected boolean validatePassword(String inputPassword, String expectedPassword) { boolean isValid = false; if( inputPassword != null && inputPassword.length() > 0 ) { ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Even better make this an option ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=376685&aid=627405&group_id=22866 ------------------------------------------------------- This SF.net email is sponsored by: ApacheCon, November 18-21 in Las Vegas (supported by COMDEX), the only Apache event to be fully supported by the ASF. http://www.apachecon.com _______________________________________________ Jboss-development mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-development