SEC-284: Removed allowEmptyPassword flag..

core/src/main/java/org/acegisecurity/providers/ldap/LdapAuthenticationProvider.java

@@ -93,6 +93,15 @@ import org.springframework.util.StringUtils;
  * authentication, roles will be assigned to the user by searching under the DN
  * <tt>ou=groups,dc=acegisecurity,dc=org</tt> with the default filter <tt>(member=&lt;user's-DN&gt;)</tt>. The role
  * name will be taken from the "ou" attribute of each match.</p>
+ * <p>
+ * The authenticate method will reject empty passwords outright. LDAP servers may allow an anonymous
+ * bind operation with an empty password, even if a DN is supplied. In practice this means that if
+ * the LDAP directory is configured to allow unauthenitcated access, it might be possible to
+ * authenticate as <i>any</i> user just by supplying an empty password.
+ * More information on the misuse of unauthenticated access can be found in
+ * <a href="http://www.ietf.org/internet-drafts/draft-ietf-ldapbis-authmeth-19.txt">
+ * draft-ietf-ldapbis-authmeth-19.txt</a>.
+ * </p>
  *
  * @author Luke Taylor
  * @version $Id$
@@ -110,9 +119,6 @@ public class LdapAuthenticationProvider extends AbstractUserDetailsAuthenticatio
     private LdapAuthenticator authenticator;
     private LdapAuthoritiesPopulator authoritiesPopulator;
 
-    /** The provider will allow an authentication request with an empty password if this is true */
-    private boolean allowEmptyPasswords = false;
-
     //~ Constructors ===================================================================================================
 
     public LdapAuthenticationProvider(LdapAuthenticator authenticator, LdapAuthoritiesPopulator authoritiesPopulator) {
@@ -134,24 +140,6 @@ public class LdapAuthenticationProvider extends AbstractUserDetailsAuthenticatio
         }
     }
 
-    /**
-     * Determines whether the provider will reject empty passwords by default.
-     * LDAP servers may allow an anonymous bind operation with an empty password, even if
-     * a DN is supplied. In practice this means that if the LDAP directory is configured
-     * to allow unauthenitcated access, it might be possible to authenticate as <i>any</i>
-     * user just by supplying an empty password.
-     * <p>
-     * The use of empty passwords is disabled by default and should only be allowed
-     * if you have a very good reason.
-     * More information on the misuse of unauthenticated access can be found in
-     * <a href="http://www.ietf.org/internet-drafts/draft-ietf-ldapbis-authmeth-19.txt">
-     * draft-ietf-ldapbis-authmeth-19.txt</a>
-     * </p>
-     */
-    public void setAllowEmptyPasswords(boolean allowEmptyPasswords) {
-        this.allowEmptyPasswords = allowEmptyPasswords;
-    }
-
     /**
      * Creates the final <tt>UserDetails</tt> object that will be returned by the provider once the user has
      * been authenticated.<p>The <tt>LdapAuthoritiesPopulator</tt> will be used to create the granted
@@ -198,7 +186,7 @@ public class LdapAuthenticationProvider extends AbstractUserDetailsAuthenticatio
         String password = (String) authentication.getCredentials();
         Assert.notNull(password, "Null password was supplied in authentication token");
 
-        if(!allowEmptyPasswords && password.length() == 0) {
+        if (password.length() == 0) {
             logger.debug("Rejecting empty password for user " + username);
             throw new BadCredentialsException(messages.getMessage("LdapAuthenticationProvider.emptyPassword",
                     "Empty Password"));

core/src/test/java/org/acegisecurity/providers/ldap/LdapAuthenticationProviderTests.java

@@ -34,8 +34,7 @@ import javax.naming.directory.BasicAttributes;
 
 
 /**
- * 
+ * Tests {@link LdapAuthenticationProvider}.
-DOCUMENT ME!
  *
  * @author Luke Taylor
  * @version $Id$
@@ -86,7 +85,7 @@ public class LdapAuthenticationProviderTests extends TestCase {
         } catch (BadCredentialsException expected) {}
     }
 
-    public void testEmptyPasswordIsRejectedByDefault() {
+    public void testEmptyPasswordIsRejected() {
         LdapAuthenticationProvider ldapProvider = new LdapAuthenticationProvider(new MockAuthenticator(),
                 new MockAuthoritiesPopulator());
         try {
@@ -95,13 +94,6 @@ public class LdapAuthenticationProviderTests extends TestCase {
         } catch (BadCredentialsException expected) {}
     }
 
-    public void testEmptyPasswordIsAcceptedWhenFlagIsSet() {
-        LdapAuthenticationProvider ldapProvider = new LdapAuthenticationProvider(new MockAuthenticator(),
-                new MockAuthoritiesPopulator());
-        ldapProvider.setAllowEmptyPasswords(true);
-        ldapProvider.retrieveUser("jen", new UsernamePasswordAuthenticationToken("jen", ""));
-    }
-
     public void testNormalUsage() {
         LdapAuthenticationProvider ldapProvider = new LdapAuthenticationProvider(new MockAuthenticator(),
                 new MockAuthoritiesPopulator());