diff --git a/core/src/main/java/org/acegisecurity/providers/ldap/LdapAuthenticationProvider.java b/core/src/main/java/org/acegisecurity/providers/ldap/LdapAuthenticationProvider.java index e4f326eb4b..96f576f746 100644 --- a/core/src/main/java/org/acegisecurity/providers/ldap/LdapAuthenticationProvider.java +++ b/core/src/main/java/org/acegisecurity/providers/ldap/LdapAuthenticationProvider.java @@ -41,7 +41,7 @@ import org.springframework.util.StringUtils; * its responsibilites to two separate strategy interfaces, {@link LdapAuthenticator} * and {@link LdapAuthoritiesPopulator}.
* - *A custom implementation could obtain the roles from a completely different source, for example from a database. *
* - ** <bean id="initialDirContextFactory" class="org.acegisecurity.providers.ldap.DefaultInitialDirContextFactory"> * <constructor-arg value="ldap://monkeymachine:389/dc=acegisecurity,dc=org"/> @@ -93,6 +93,15 @@ import org.springframework.util.StringUtils; * authentication, roles will be assigned to the user by searching under the DN * ou=groups,dc=acegisecurity,dc=org with the default filter (member=<user's-DN>). The role * name will be taken from the "ou" attribute of each match. + *+ * The authenticate method will reject empty passwords outright. LDAP servers may allow an anonymous + * bind operation with an empty password, even if a DN is supplied. In practice this means that if + * the LDAP directory is configured to allow unauthenitcated access, it might be possible to + * authenticate as any user just by supplying an empty password. + * More information on the misuse of unauthenticated access can be found in + * + * draft-ietf-ldapbis-authmeth-19.txt. + *
* * @author Luke Taylor * @version $Id$ @@ -110,9 +119,6 @@ public class LdapAuthenticationProvider extends AbstractUserDetailsAuthenticatio private LdapAuthenticator authenticator; private LdapAuthoritiesPopulator authoritiesPopulator; - /** The provider will allow an authentication request with an empty password if this is true */ - private boolean allowEmptyPasswords = false; - //~ Constructors =================================================================================================== public LdapAuthenticationProvider(LdapAuthenticator authenticator, LdapAuthoritiesPopulator authoritiesPopulator) { @@ -134,24 +140,6 @@ public class LdapAuthenticationProvider extends AbstractUserDetailsAuthenticatio } } - /** - * Determines whether the provider will reject empty passwords by default. - * LDAP servers may allow an anonymous bind operation with an empty password, even if - * a DN is supplied. In practice this means that if the LDAP directory is configured - * to allow unauthenitcated access, it might be possible to authenticate as any - * user just by supplying an empty password. - *- * The use of empty passwords is disabled by default and should only be allowed - * if you have a very good reason. - * More information on the misuse of unauthenticated access can be found in - * - * draft-ietf-ldapbis-authmeth-19.txt - *
- */ - public void setAllowEmptyPasswords(boolean allowEmptyPasswords) { - this.allowEmptyPasswords = allowEmptyPasswords; - } - /** * Creates the final UserDetails object that will be returned by the provider once the user has * been authenticated.The LdapAuthoritiesPopulator will be used to create the granted @@ -198,7 +186,7 @@ public class LdapAuthenticationProvider extends AbstractUserDetailsAuthenticatio String password = (String) authentication.getCredentials(); Assert.notNull(password, "Null password was supplied in authentication token"); - if(!allowEmptyPasswords && password.length() == 0) { + if (password.length() == 0) { logger.debug("Rejecting empty password for user " + username); throw new BadCredentialsException(messages.getMessage("LdapAuthenticationProvider.emptyPassword", "Empty Password")); diff --git a/core/src/test/java/org/acegisecurity/providers/ldap/LdapAuthenticationProviderTests.java b/core/src/test/java/org/acegisecurity/providers/ldap/LdapAuthenticationProviderTests.java index ba4c8ac010..40834b54ec 100644 --- a/core/src/test/java/org/acegisecurity/providers/ldap/LdapAuthenticationProviderTests.java +++ b/core/src/test/java/org/acegisecurity/providers/ldap/LdapAuthenticationProviderTests.java @@ -34,8 +34,7 @@ import javax.naming.directory.BasicAttributes; /** - * -DOCUMENT ME! + * Tests {@link LdapAuthenticationProvider}. * * @author Luke Taylor * @version $Id$ @@ -86,7 +85,7 @@ public class LdapAuthenticationProviderTests extends TestCase { } catch (BadCredentialsException expected) {} } - public void testEmptyPasswordIsRejectedByDefault() { + public void testEmptyPasswordIsRejected() { LdapAuthenticationProvider ldapProvider = new LdapAuthenticationProvider(new MockAuthenticator(), new MockAuthoritiesPopulator()); try { @@ -95,13 +94,6 @@ public class LdapAuthenticationProviderTests extends TestCase { } catch (BadCredentialsException expected) {} } - public void testEmptyPasswordIsAcceptedWhenFlagIsSet() { - LdapAuthenticationProvider ldapProvider = new LdapAuthenticationProvider(new MockAuthenticator(), - new MockAuthoritiesPopulator()); - ldapProvider.setAllowEmptyPasswords(true); - ldapProvider.retrieveUser("jen", new UsernamePasswordAuthenticationToken("jen", "")); - } - public void testNormalUsage() { LdapAuthenticationProvider ldapProvider = new LdapAuthenticationProvider(new MockAuthenticator(), new MockAuthoritiesPopulator());