[JBoss-dev] [ jboss-Bugs-627405 ] LdapLoginModule accepts empty password
Bugs item #627405, was opened at 2002-10-23 13:51 You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=376685&aid=627405&group_id=22866 Category: None Group: None Status: Open Resolution: None Priority: 5 Submitted By: Erik Konijnenburg (konijnenburg) Assigned to: Nobody/Anonymous (nobody) Summary: LdapLoginModule accepts empty password Initial Comment: Hi there, When i login on my web site (i am using forms) using the LdapLoginModule I don't have to supply a password to login The LDAP server (netscape directory server 4.12) seems to allow for anonymous authentication. Using the right password authenticates the user, using a wrong password (except empty) doesnot. com.sun.jndi.ldap.Lda pCtxFactory ldap://NLRTMWS001:3 89/ simple cn= ,cn=basic,cn=Signons,cn=def ault,cn=Authentication Data,o=sdfsadf,c=NL authbasicsignonlist authuserclasslist cn=Users,cn=default,cn=Authentic ation Data,o=vopakwst,c=nl -- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=376685&aid=627405&group_id=22866 --- This sf.net emial is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0002en ___ Jboss-development mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-development
[JBoss-dev] [ jboss-Bugs-627405 ] LdapLoginModule accepts empty password
Bugs item #627405, was opened at 2002-10-23 13:51 You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=376685&aid=627405&group_id=22866 Category: None Group: None Status: Open Resolution: None Priority: 5 Submitted By: Erik Konijnenburg (konijnenburg) Assigned to: Nobody/Anonymous (nobody) Summary: LdapLoginModule accepts empty password Initial Comment: Hi there, When i login on my web site (i am using forms) using the LdapLoginModule I don't have to supply a password to login The LDAP server (netscape directory server 4.12) seems to allow for anonymous authentication. Using the right password authenticates the user, using a wrong password (except empty) doesnot. com.sun.jndi.ldap.Lda pCtxFactory ldap://NLRTMWS001:3 89/ simple cn= ,cn=basic,cn=Signons,cn=def ault,cn=Authentication Data,o=sdfsadf,c=NL authbasicsignonlist authuserclasslist cn=Users,cn=default,cn=Authentic ation Data,o=vopakwst,c=nl -- >Comment By: Erik Konijnenburg (konijnenburg) Date: 2002-10-23 14:27 Message: Logged In: YES user_id=522939 A possible patch is: protected boolean validatePassword(String inputPassword, String expectedPassword) { boolean isValid = false; if( inputPassword != null && inputPassword.length() > 0 ) { Even better make this an option -- Comment By: Erik Konijnenburg (konijnenburg) Date: 2002-10-23 14:26 Message: Logged In: YES user_id=522939 A possible patch is: protected boolean validatePassword(String inputPassword, String expectedPassword) { boolean isValid = false; if( inputPassword != null && inputPassword.length() > 0 ) { Even better make this an option -- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=376685&aid=627405&group_id=22866 --- This sf.net emial is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0002en ___ Jboss-development mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-development
[JBoss-dev] [ jboss-Bugs-627405 ] LdapLoginModule accepts empty password
Bugs item #627405, was opened at 2002-10-23 13:51 You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=376685&aid=627405&group_id=22866 Category: None Group: None Status: Open Resolution: None Priority: 5 Submitted By: Erik Konijnenburg (konijnenburg) Assigned to: Nobody/Anonymous (nobody) Summary: LdapLoginModule accepts empty password Initial Comment: Hi there, When i login on my web site (i am using forms) using the LdapLoginModule I don't have to supply a password to login The LDAP server (netscape directory server 4.12) seems to allow for anonymous authentication. Using the right password authenticates the user, using a wrong password (except empty) doesnot. com.sun.jndi.ldap.Lda pCtxFactory ldap://NLRTMWS001:3 89/ simple cn= ,cn=basic,cn=Signons,cn=def ault,cn=Authentication Data,o=sdfsadf,c=NL authbasicsignonlist authuserclasslist cn=Users,cn=default,cn=Authentic ation Data,o=vopakwst,c=nl -- >Comment By: Erik Konijnenburg (konijnenburg) Date: 2002-10-23 14:26 Message: Logged In: YES user_id=522939 A possible patch is: protected boolean validatePassword(String inputPassword, String expectedPassword) { boolean isValid = false; if( inputPassword != null && inputPassword.length() > 0 ) { Even better make this an option -- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=376685&aid=627405&group_id=22866 --- This sf.net emial is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0002en ___ Jboss-development mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-development
[JBoss-dev] [ jboss-Bugs-627405 ] LdapLoginModule accepts empty password
Bugs item #627405, was opened at 2002-10-23 04:51 You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=376685&aid=627405&group_id=22866 Category: JBossSX Group: None >Status: Closed >Resolution: Invalid Priority: 5 Submitted By: Erik Konijnenburg (konijnenburg) Assigned to: Scott M Stark (starksm) Summary: LdapLoginModule accepts empty password Initial Comment: Hi there, When i login on my web site (i am using forms) using the LdapLoginModule I don't have to supply a password to login The LDAP server (netscape directory server 4.12) seems to allow for anonymous authentication. Using the right password authenticates the user, using a wrong password (except empty) doesnot. com.sun.jndi.ldap.Lda pCtxFactory ldap://NLRTMWS001:3 89/ simple cn= ,cn=basic,cn=Signons,cn=def ault,cn=Authentication Data,o=sdfsadf,c=NL authbasicsignonlist authuserclasslist cn=Users,cn=default,cn=Authentic ation Data,o=vopakwst,c=nl -- >Comment By: Scott M Stark (starksm) Date: 2002-10-27 19:54 Message: Logged In: YES user_id=175228 This is an ldap server configuration issue. If you don't want anonymous bindings why allow it? I will add an option flag to treat empty passwords as null passwords in the event that the default ldap admin policy for anonymous users conflicts with a particular application usage, but this will default to true. -- Comment By: Erik Konijnenburg (konijnenburg) Date: 2002-10-23 05:27 Message: Logged In: YES user_id=522939 A possible patch is: protected boolean validatePassword(String inputPassword, String expectedPassword) { boolean isValid = false; if( inputPassword != null && inputPassword.length() > 0 ) { Even better make this an option -- Comment By: Erik Konijnenburg (konijnenburg) Date: 2002-10-23 05:26 Message: Logged In: YES user_id=522939 A possible patch is: protected boolean validatePassword(String inputPassword, String expectedPassword) { boolean isValid = false; if( inputPassword != null && inputPassword.length() > 0 ) { Even better make this an option -- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=376685&aid=627405&group_id=22866 --- This SF.net email is sponsored by: ApacheCon, November 18-21 in Las Vegas (supported by COMDEX), the only Apache event to be fully supported by the ASF. http://www.apachecon.com ___ Jboss-development mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-development