[JBoss-dev] [ jboss-Bugs-627405 ] LdapLoginModule accepts empty password
Bugs item #627405, was opened at 2002-10-23 13:51 You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=376685&aid=627405&group_id=22866 Category: None Group: None Status: Open Resolution: None Priority: 5 Submitted By: Erik Konijnenburg (konijnenburg) Assigned to: Nobody/Anonymous (nobody) Summary: LdapLoginModule accepts empty password Initial Comment: Hi there, When i login on my web site (i am using forms) using the LdapLoginModule I don't have to supply a password to login The LDAP server (netscape directory server 4.12) seems to allow for anonymous authentication. Using the right password authenticates the user, using a wrong password (except empty) doesnot. com.sun.jndi.ldap.Lda pCtxFactory ldap://NLRTMWS001:3 89/ simple cn= ,cn=basic,cn=Signons,cn=def ault,cn=Authentication Data,o=sdfsadf,c=NL authbasicsignonlist authuserclasslist cn=Users,cn=default,cn=Authentic ation Data,o=vopakwst,c=nl -- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=376685&aid=627405&group_id=22866 --- This sf.net emial is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0002en ___ Jboss-development mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-development
[JBoss-dev] [ jboss-Bugs-627405 ] LdapLoginModule accepts empty password
Bugs item #627405, was opened at 2002-10-23 13:51
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=376685&aid=627405&group_id=22866
Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Erik Konijnenburg (konijnenburg)
Assigned to: Nobody/Anonymous (nobody)
Summary: LdapLoginModule accepts empty password
Initial Comment:
Hi there,
When i login on my web site (i am using forms) using
the LdapLoginModule I don't have to supply a password
to login The LDAP server (netscape directory server
4.12) seems to allow for anonymous authentication.
Using the right password authenticates the user, using a
wrong password (except empty) doesnot.
com.sun.jndi.ldap.Lda
pCtxFactory
ldap://NLRTMWS001:3
89/
simple
cn=
,cn=basic,cn=Signons,cn=def
ault,cn=Authentication Data,o=sdfsadf,c=NL
authbasicsignonlist
authuserclasslist
cn=Users,cn=default,cn=Authentic
ation Data,o=vopakwst,c=nl
--
>Comment By: Erik Konijnenburg (konijnenburg)
Date: 2002-10-23 14:27
Message:
Logged In: YES
user_id=522939
A possible patch is:
protected boolean validatePassword(String inputPassword,
String expectedPassword)
{
boolean isValid = false;
if( inputPassword != null && inputPassword.length() > 0 )
{
Even better make this an option
--
Comment By: Erik Konijnenburg (konijnenburg)
Date: 2002-10-23 14:26
Message:
Logged In: YES
user_id=522939
A possible patch is:
protected boolean validatePassword(String inputPassword,
String expectedPassword)
{
boolean isValid = false;
if( inputPassword != null && inputPassword.length() > 0 )
{
Even better make this an option
--
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=376685&aid=627405&group_id=22866
---
This sf.net emial is sponsored by: Influence the future
of Java(TM) technology. Join the Java Community
Process(SM) (JCP(SM)) program now.
http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0002en
___
Jboss-development mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-development
[JBoss-dev] [ jboss-Bugs-627405 ] LdapLoginModule accepts empty password
Bugs item #627405, was opened at 2002-10-23 13:51
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=376685&aid=627405&group_id=22866
Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Erik Konijnenburg (konijnenburg)
Assigned to: Nobody/Anonymous (nobody)
Summary: LdapLoginModule accepts empty password
Initial Comment:
Hi there,
When i login on my web site (i am using forms) using
the LdapLoginModule I don't have to supply a password
to login The LDAP server (netscape directory server
4.12) seems to allow for anonymous authentication.
Using the right password authenticates the user, using a
wrong password (except empty) doesnot.
com.sun.jndi.ldap.Lda
pCtxFactory
ldap://NLRTMWS001:3
89/
simple
cn=
,cn=basic,cn=Signons,cn=def
ault,cn=Authentication Data,o=sdfsadf,c=NL
authbasicsignonlist
authuserclasslist
cn=Users,cn=default,cn=Authentic
ation Data,o=vopakwst,c=nl
--
>Comment By: Erik Konijnenburg (konijnenburg)
Date: 2002-10-23 14:26
Message:
Logged In: YES
user_id=522939
A possible patch is:
protected boolean validatePassword(String inputPassword,
String expectedPassword)
{
boolean isValid = false;
if( inputPassword != null && inputPassword.length() > 0 )
{
Even better make this an option
--
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=376685&aid=627405&group_id=22866
---
This sf.net emial is sponsored by: Influence the future
of Java(TM) technology. Join the Java Community
Process(SM) (JCP(SM)) program now.
http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0002en
___
Jboss-development mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-development
[JBoss-dev] [ jboss-Bugs-627405 ] LdapLoginModule accepts empty password
Bugs item #627405, was opened at 2002-10-23 04:51
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=376685&aid=627405&group_id=22866
Category: JBossSX
Group: None
>Status: Closed
>Resolution: Invalid
Priority: 5
Submitted By: Erik Konijnenburg (konijnenburg)
Assigned to: Scott M Stark (starksm)
Summary: LdapLoginModule accepts empty password
Initial Comment:
Hi there,
When i login on my web site (i am using forms) using
the LdapLoginModule I don't have to supply a password
to login The LDAP server (netscape directory server
4.12) seems to allow for anonymous authentication.
Using the right password authenticates the user, using a
wrong password (except empty) doesnot.
com.sun.jndi.ldap.Lda
pCtxFactory
ldap://NLRTMWS001:3
89/
simple
cn=
,cn=basic,cn=Signons,cn=def
ault,cn=Authentication Data,o=sdfsadf,c=NL
authbasicsignonlist
authuserclasslist
cn=Users,cn=default,cn=Authentic
ation Data,o=vopakwst,c=nl
--
>Comment By: Scott M Stark (starksm)
Date: 2002-10-27 19:54
Message:
Logged In: YES
user_id=175228
This is an ldap server configuration issue. If you don't want
anonymous bindings why allow it? I will add an option flag to
treat empty passwords as null passwords in the event that
the default ldap admin policy for anonymous users conflicts
with a particular application usage, but this will default to true.
--
Comment By: Erik Konijnenburg (konijnenburg)
Date: 2002-10-23 05:27
Message:
Logged In: YES
user_id=522939
A possible patch is:
protected boolean validatePassword(String inputPassword,
String expectedPassword)
{
boolean isValid = false;
if( inputPassword != null && inputPassword.length() > 0 )
{
Even better make this an option
--
Comment By: Erik Konijnenburg (konijnenburg)
Date: 2002-10-23 05:26
Message:
Logged In: YES
user_id=522939
A possible patch is:
protected boolean validatePassword(String inputPassword,
String expectedPassword)
{
boolean isValid = false;
if( inputPassword != null && inputPassword.length() > 0 )
{
Even better make this an option
--
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=376685&aid=627405&group_id=22866
---
This SF.net email is sponsored by: ApacheCon, November 18-21 in
Las Vegas (supported by COMDEX), the only Apache event to be
fully supported by the ASF. http://www.apachecon.com
___
Jboss-development mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-development
