SEC-284: Removed allowEmptyPassword flag..

2006-05-31 20:12:12 +00:00 · 2006-05-31 20:12:12 +00:00 · 5d7a75a421
parent d2ee383e06
commit 5d7a75a421
2 changed files with 15 additions and 35 deletions
--- a/core/src/main/java/org/acegisecurity/providers/ldap/LdapAuthenticationProvider.java
+++ b/core/src/main/java/org/acegisecurity/providers/ldap/LdapAuthenticationProvider.java
@ -93,6 +93,15 @@ import org.springframework.util.StringUtils;
 * authentication, roles will be assigned to the user by searching under the DN
 * <tt>ou=groups,dc=acegisecurity,dc=org</tt> with the default filter <tt>(member=&lt;user's-DN&gt;)</tt>. The role
 * name will be taken from the "ou" attribute of each match.</p>
+ * <p>
+ * The authenticate method will reject empty passwords outright. LDAP servers may allow an anonymous
+ * bind operation with an empty password, even if a DN is supplied. In practice this means that if
+ * the LDAP directory is configured to allow unauthenitcated access, it might be possible to
+ * authenticate as <i>any</i> user just by supplying an empty password.
+ * More information on the misuse of unauthenticated access can be found in
+ * <a href="http://www.ietf.org/internet-drafts/draft-ietf-ldapbis-authmeth-19.txt">
+ * draft-ietf-ldapbis-authmeth-19.txt</a>.
+ * </p>
 *
 * @author Luke Taylor
 * @version $Id$
@ -110,9 +119,6 @@ public class LdapAuthenticationProvider extends AbstractUserDetailsAuthenticatio
    private LdapAuthenticator authenticator;
    private LdapAuthoritiesPopulator authoritiesPopulator;

-    /** The provider will allow an authentication request with an empty password if this is true */
-    private boolean allowEmptyPasswords = false;
-
    //~ Constructors ===================================================================================================

    public LdapAuthenticationProvider(LdapAuthenticator authenticator, LdapAuthoritiesPopulator authoritiesPopulator) {
@ -134,24 +140,6 @@ public class LdapAuthenticationProvider extends AbstractUserDetailsAuthenticatio
        }
    }

-    /**
-     * Determines whether the provider will reject empty passwords by default.
-     * LDAP servers may allow an anonymous bind operation with an empty password, even if
-     * a DN is supplied. In practice this means that if the LDAP directory is configured
-     * to allow unauthenitcated access, it might be possible to authenticate as <i>any</i>
-     * user just by supplying an empty password.
-     * <p>
-     * The use of empty passwords is disabled by default and should only be allowed
-     * if you have a very good reason.
-     * More information on the misuse of unauthenticated access can be found in
-     * <a href="http://www.ietf.org/internet-drafts/draft-ietf-ldapbis-authmeth-19.txt">
-     * draft-ietf-ldapbis-authmeth-19.txt</a>
-     * </p>
-     */
-    public void setAllowEmptyPasswords(boolean allowEmptyPasswords) {
-        this.allowEmptyPasswords = allowEmptyPasswords;
-    }
-
    /**
     * Creates the final <tt>UserDetails</tt> object that will be returned by the provider once the user has
     * been authenticated.<p>The <tt>LdapAuthoritiesPopulator</tt> will be used to create the granted
@ -198,7 +186,7 @@ public class LdapAuthenticationProvider extends AbstractUserDetailsAuthenticatio
        String password = (String) authentication.getCredentials();
        Assert.notNull(password, "Null password was supplied in authentication token");

-        if(!allowEmptyPasswords && password.length() == 0) {
+        if (password.length() == 0) {
            logger.debug("Rejecting empty password for user " + username);
            throw new BadCredentialsException(messages.getMessage("LdapAuthenticationProvider.emptyPassword",
                    "Empty Password"));
--- a/core/src/test/java/org/acegisecurity/providers/ldap/LdapAuthenticationProviderTests.java
+++ b/core/src/test/java/org/acegisecurity/providers/ldap/LdapAuthenticationProviderTests.java
@ -34,8 +34,7 @@ import javax.naming.directory.BasicAttributes;


 /**
- * 
-DOCUMENT ME!
+ * Tests {@link LdapAuthenticationProvider}.
 *
 * @author Luke Taylor
 * @version $Id$
@ -86,7 +85,7 @@ public class LdapAuthenticationProviderTests extends TestCase {
        } catch (BadCredentialsException expected) {}
    }

-    public void testEmptyPasswordIsRejectedByDefault() {
+    public void testEmptyPasswordIsRejected() {
        LdapAuthenticationProvider ldapProvider = new LdapAuthenticationProvider(new MockAuthenticator(),
                new MockAuthoritiesPopulator());
        try {
@ -95,13 +94,6 @@ public class LdapAuthenticationProviderTests extends TestCase {
        } catch (BadCredentialsException expected) {}
    }

-    public void testEmptyPasswordIsAcceptedWhenFlagIsSet() {
-        LdapAuthenticationProvider ldapProvider = new LdapAuthenticationProvider(new MockAuthenticator(),
-                new MockAuthoritiesPopulator());
-        ldapProvider.setAllowEmptyPasswords(true);
-        ldapProvider.retrieveUser("jen", new UsernamePasswordAuthenticationToken("jen", ""));
-    }
-
    public void testNormalUsage() {
        LdapAuthenticationProvider ldapProvider = new LdapAuthenticationProvider(new MockAuthenticator(),
                new MockAuthoritiesPopulator());