Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SEC-284: Removed allowEmptyPassword flag..

This commit is contained in:
Luke Taylor 2006-05-31 20:12:12 +00:00
parent d2ee383e06
commit 5d7a75a421
2 changed files with 15 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
core/src/main/java/org/acegisecurity/providers/ldap/LdapAuthenticationProvider.java
View File

@ -41,7 +41,7 @@ import org.springframework.util.StringUtils;
* its responsibilites to two separate strategy interfaces, {@link LdapAuthenticator}
* and {@link LdapAuthoritiesPopulator}.</p>
*
* <h3>LdapAuthenticator</h3>
* <h3>LdapAuthenticator</h3>
* This interface is responsible for performing the user authentication and retrieving
* the user's information from the directory. Example implementations are {@link
* org.acegisecurity.providers.ldap.authenticator.BindAuthenticator BindAuthenticator} which authenticates the user by
@ -52,7 +52,7 @@ import org.springframework.util.StringUtils;
* attributes may depend on the type of authentication being used; for example, if binding as the user, it may be
* necessary to read them with the user's own permissions (using the same context used for the bind operation).</p>
*
* <h3>LdapAuthoritiesPopulator</h3>
* <h3>LdapAuthoritiesPopulator</h3>
* Once the user has been authenticated, this interface is called to obtain the set of granted authorities for the
* user.
* The
@ -63,7 +63,7 @@ import org.springframework.util.StringUtils;
* <p>A custom implementation could obtain the roles from a completely different source, for example from a database.
* </p>
*
* <h3>Configuration</h3>A simple configuration might be as follows:
* <h3>Configuration</h3>A simple configuration might be as follows:
* <pre>
* &lt;bean id="initialDirContextFactory" class="org.acegisecurity.providers.ldap.DefaultInitialDirContextFactory">
* &lt;constructor-arg value="ldap://monkeymachine:389/dc=acegisecurity,dc=org"/>
@ -93,6 +93,15 @@ import org.springframework.util.StringUtils;
* authentication, roles will be assigned to the user by searching under the DN
* <tt>ou=groups,dc=acegisecurity,dc=org</tt> with the default filter <tt>(member=&lt;user's-DN&gt;)</tt>. The role
* name will be taken from the "ou" attribute of each match.</p>
* <p>
* The authenticate method will reject empty passwords outright. LDAP servers may allow an anonymous
* bind operation with an empty password, even if a DN is supplied. In practice this means that if
* the LDAP directory is configured to allow unauthenitcated access, it might be possible to
* authenticate as <i>any</i> user just by supplying an empty password.
* More information on the misuse of unauthenticated access can be found in
* <a href="http://www.ietf.org/internet-drafts/draft-ietf-ldapbis-authmeth-19.txt">
* draft-ietf-ldapbis-authmeth-19.txt</a>.
* </p>
*
* @author Luke Taylor
* @version $Id$
@ -110,9 +119,6 @@ public class LdapAuthenticationProvider extends AbstractUserDetailsAuthenticatio
private LdapAuthenticator authenticator;
private LdapAuthoritiesPopulator authoritiesPopulator;
/** The provider will allow an authentication request with an empty password if this is true */
private boolean allowEmptyPasswords = false;
//~ Constructors ===================================================================================================
public LdapAuthenticationProvider(LdapAuthenticator authenticator, LdapAuthoritiesPopulator authoritiesPopulator) {
@ -134,24 +140,6 @@ public class LdapAuthenticationProvider extends AbstractUserDetailsAuthenticatio
}
}
/**
* Determines whether the provider will reject empty passwords by default.
* LDAP servers may allow an anonymous bind operation with an empty password, even if
* a DN is supplied. In practice this means that if the LDAP directory is configured
* to allow unauthenitcated access, it might be possible to authenticate as <i>any</i>
* user just by supplying an empty password.
* <p>
* The use of empty passwords is disabled by default and should only be allowed
* if you have a very good reason.
* More information on the misuse of unauthenticated access can be found in
* <a href="http://www.ietf.org/internet-drafts/draft-ietf-ldapbis-authmeth-19.txt">
* draft-ietf-ldapbis-authmeth-19.txt</a>
* </p>
*/
public void setAllowEmptyPasswords(boolean allowEmptyPasswords) {
this.allowEmptyPasswords = allowEmptyPasswords;
}
/**
* Creates the final <tt>UserDetails</tt> object that will be returned by the provider once the user has
* been authenticated.<p>The <tt>LdapAuthoritiesPopulator</tt> will be used to create the granted
@ -198,7 +186,7 @@ public class LdapAuthenticationProvider extends AbstractUserDetailsAuthenticatio
String password = (String) authentication.getCredentials();
Assert.notNull(password, "Null password was supplied in authentication token");
if(!allowEmptyPasswords && password.length() == 0) {
if (password.length() == 0) {
logger.debug("Rejecting empty password for user " + username);
throw new BadCredentialsException(messages.getMessage("LdapAuthenticationProvider.emptyPassword",
"Empty Password"));

12
core/src/test/java/org/acegisecurity/providers/ldap/LdapAuthenticationProviderTests.java
View File

@ -34,8 +34,7 @@ import javax.naming.directory.BasicAttributes;
/**
*
DOCUMENT ME!
* Tests {@link LdapAuthenticationProvider}.
*
* @author Luke Taylor
* @version $Id$
@ -86,7 +85,7 @@ public class LdapAuthenticationProviderTests extends TestCase {
} catch (BadCredentialsException expected) {}
}
public void testEmptyPasswordIsRejectedByDefault() {
public void testEmptyPasswordIsRejected() {
LdapAuthenticationProvider ldapProvider = new LdapAuthenticationProvider(new MockAuthenticator(),
new MockAuthoritiesPopulator());
try {
@ -95,13 +94,6 @@ public class LdapAuthenticationProviderTests extends TestCase {
} catch (BadCredentialsException expected) {}
}
public void testEmptyPasswordIsAcceptedWhenFlagIsSet() {
LdapAuthenticationProvider ldapProvider = new LdapAuthenticationProvider(new MockAuthenticator(),
new MockAuthoritiesPopulator());
ldapProvider.setAllowEmptyPasswords(true);
ldapProvider.retrieveUser("jen", new UsernamePasswordAuthenticationToken("jen", ""));
}
public void testNormalUsage() {
LdapAuthenticationProvider ldapProvider = new LdapAuthenticationProvider(new MockAuthenticator(),
new MockAuthoritiesPopulator());