ARTEMIS-2010 actively detect unauthenticated LDAP Bind requests
This commit is contained in:
parent
b2663b84b6
commit
53f8bc3daf
|
@ -167,7 +167,7 @@ public class LDAPLoginModule implements LoginModule {
|
||||||
throw (LoginException) new LoginException().initCause(e);
|
throw (LoginException) new LoginException().initCause(e);
|
||||||
}
|
}
|
||||||
|
|
||||||
String password;
|
String password = null;
|
||||||
|
|
||||||
username = ((NameCallback) callbacks[0]).getName();
|
username = ((NameCallback) callbacks[0]).getName();
|
||||||
if (username == null)
|
if (username == null)
|
||||||
|
@ -175,8 +175,17 @@ public class LDAPLoginModule implements LoginModule {
|
||||||
|
|
||||||
if (((PasswordCallback) callbacks[1]).getPassword() != null)
|
if (((PasswordCallback) callbacks[1]).getPassword() != null)
|
||||||
password = new String(((PasswordCallback) callbacks[1]).getPassword());
|
password = new String(((PasswordCallback) callbacks[1]).getPassword());
|
||||||
else
|
|
||||||
password = "";
|
/**
|
||||||
|
* https://tools.ietf.org/html/rfc4513#section-6.3.1
|
||||||
|
*
|
||||||
|
* Clients that use the results from a simple Bind operation to make
|
||||||
|
* authorization decisions should actively detect unauthenticated Bind
|
||||||
|
* requests (by verifying that the supplied password is not empty) and
|
||||||
|
* react appropriately.
|
||||||
|
*/
|
||||||
|
if (password == null || (password != null && password.length() == 0))
|
||||||
|
throw new FailedLoginException("Password cannot be null or empty");
|
||||||
|
|
||||||
// authenticate will throw LoginException
|
// authenticate will throw LoginException
|
||||||
// in case of failed authentication
|
// in case of failed authentication
|
||||||
|
|
|
@ -27,6 +27,7 @@ import javax.security.auth.callback.CallbackHandler;
|
||||||
import javax.security.auth.callback.NameCallback;
|
import javax.security.auth.callback.NameCallback;
|
||||||
import javax.security.auth.callback.PasswordCallback;
|
import javax.security.auth.callback.PasswordCallback;
|
||||||
import javax.security.auth.callback.UnsupportedCallbackException;
|
import javax.security.auth.callback.UnsupportedCallbackException;
|
||||||
|
import javax.security.auth.login.FailedLoginException;
|
||||||
import javax.security.auth.login.LoginContext;
|
import javax.security.auth.login.LoginContext;
|
||||||
import javax.security.auth.login.LoginException;
|
import javax.security.auth.login.LoginException;
|
||||||
import javax.security.auth.spi.LoginModule;
|
import javax.security.auth.spi.LoginModule;
|
||||||
|
@ -268,6 +269,56 @@ public class LDAPLoginModuleTest extends AbstractLdapTestUnit {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testEmptyPassword() throws Exception {
|
||||||
|
LoginContext context = new LoginContext("LDAPLogin", new CallbackHandler() {
|
||||||
|
@Override
|
||||||
|
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
|
||||||
|
for (int i = 0; i < callbacks.length; i++) {
|
||||||
|
if (callbacks[i] instanceof NameCallback) {
|
||||||
|
((NameCallback) callbacks[i]).setName("first");
|
||||||
|
} else if (callbacks[i] instanceof PasswordCallback) {
|
||||||
|
((PasswordCallback) callbacks[i]).setPassword("".toCharArray());
|
||||||
|
} else {
|
||||||
|
throw new UnsupportedCallbackException(callbacks[i]);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
});
|
||||||
|
try {
|
||||||
|
context.login();
|
||||||
|
fail("Should have thrown a FailedLoginException");
|
||||||
|
} catch (FailedLoginException fle) {
|
||||||
|
assertEquals("Password cannot be null or empty", fle.getMessage());
|
||||||
|
}
|
||||||
|
context.logout();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testNullPassword() throws Exception {
|
||||||
|
LoginContext context = new LoginContext("LDAPLogin", new CallbackHandler() {
|
||||||
|
@Override
|
||||||
|
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
|
||||||
|
for (int i = 0; i < callbacks.length; i++) {
|
||||||
|
if (callbacks[i] instanceof NameCallback) {
|
||||||
|
((NameCallback) callbacks[i]).setName("first");
|
||||||
|
} else if (callbacks[i] instanceof PasswordCallback) {
|
||||||
|
((PasswordCallback) callbacks[i]).setPassword(null);
|
||||||
|
} else {
|
||||||
|
throw new UnsupportedCallbackException(callbacks[i]);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
});
|
||||||
|
try {
|
||||||
|
context.login();
|
||||||
|
fail("Should have thrown a FailedLoginException");
|
||||||
|
} catch (FailedLoginException fle) {
|
||||||
|
assertEquals("Password cannot be null or empty", fle.getMessage());
|
||||||
|
}
|
||||||
|
context.logout();
|
||||||
|
}
|
||||||
|
|
||||||
private boolean presentInArray(LDAPLoginProperty[] ldapProps, String propertyName) {
|
private boolean presentInArray(LDAPLoginProperty[] ldapProps, String propertyName) {
|
||||||
for (LDAPLoginProperty conf : ldapProps) {
|
for (LDAPLoginProperty conf : ldapProps) {
|
||||||
if (conf.getPropertyName().equals(propertyName) && (conf.getPropertyValue() != null && !"".equals(conf.getPropertyValue())))
|
if (conf.getPropertyName().equals(propertyName) && (conf.getPropertyValue() != null && !"".equals(conf.getPropertyValue())))
|
||||||
|
|
Loading…
Reference in New Issue