Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SEC-2500: Prevent anonymous bind for ActiveDirectoryLdapAuthenticator

This commit is contained in:
Rob Winch 2014-03-04 13:48:36 -06:00
parent ea902e5829
commit a7005bd742
15 changed files with 40 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
core/src/main/resources/org/springframework/security/messages.properties
View File

@ -1,4 +1,5 @@
AbstractAccessDecisionManager.accessDenied=Access is denied
AbstractLdapAuthenticationProvider.emptyPassword=Empty Password
AbstractSecurityInterceptor.authenticationNotFound=An Authentication object was not found in the SecurityContext
AbstractUserDetailsAuthenticationProvider.badCredentials=Bad credentials
AbstractUserDetailsAuthenticationProvider.credentialsExpired=User credentials have expired

1
core/src/main/resources/org/springframework/security/messages_cs_CZ.properties
View File

@ -1,4 +1,5 @@
AbstractAccessDecisionManager.accessDenied=P\u0159\u00EDstup odep\u0159en
AbstractLdapAuthenticationProvider.emptyPassword=\u0160patn\u00E9 p\u0159ihla\u0161ovac\u00ED \u00FAdaje
AbstractSecurityInterceptor.authenticationNotFound=Nebyl nalezen \u017E\u00E1dn\u00FD Authentication objekt v SecurityContext
AbstractUserDetailsAuthenticationProvider.badCredentials=\u0160patn\u00E9 p\u0159ihla\u0161ovac\u00ED \u00FAdaje
AbstractUserDetailsAuthenticationProvider.credentialsExpired=Platnost u\u017Eivatelsk\u00E9ho hesla vypr\u0161ela

1
core/src/main/resources/org/springframework/security/messages_de.properties
View File

@ -1,4 +1,5 @@
AbstractAccessDecisionManager.accessDenied=Zugriff verweigert
AbstractLdapAuthenticationProvider.emptyPassword=Ung\u00FCltige Benutzerberechtigungen
AbstractSecurityInterceptor.authenticationNotFound=Im SecurityContext wurde keine Authentifikation gefunden
AbstractUserDetailsAuthenticationProvider.badCredentials=Ung\u00FCltige Benutzerberechtigungen
AbstractUserDetailsAuthenticationProvider.credentialsExpired=Die G\u00FCltigkeit der Benutzerberechtigungen ist abgelaufen

1
core/src/main/resources/org/springframework/security/messages_es_ES.properties
View File

@ -1,4 +1,5 @@
AbstractAccessDecisionManager.accessDenied=Acceso denegado
AbstractLdapAuthenticationProvider.emptyPassword=Credenciales err\u00F3neas
AbstractSecurityInterceptor.authenticationNotFound=El objeto Authentication no ha sido encontrado en el SecurityContext
AbstractUserDetailsAuthenticationProvider.badCredentials=Credenciales err\u00F3neas
AbstractUserDetailsAuthenticationProvider.credentialsExpired=Las credenciales del usuario han expirado

1
core/src/main/resources/org/springframework/security/messages_fr.properties
View File

@ -3,6 +3,7 @@
# Translation by Laurent Pireyn (laurent.pireyn@pisolutions.eu)
# Translation by Valentin Crettaz (valentin.crettaz@consulthys.com)
AbstractAccessDecisionManager.accessDenied=Acc\u00E8s refus\u00E9
AbstractLdapAuthenticationProvider.emptyPassword=Le mot de passe est obligatoire
AbstractSecurityInterceptor.authenticationNotFound=Aucun objet Authentication n'a \u00E9t\u00E9 trouv\u00E9 dans le SecurityContext
AbstractUserDetailsAuthenticationProvider.badCredentials=Les identifications sont erron\u00E9es
AbstractUserDetailsAuthenticationProvider.credentialsExpired=Les identifications de l'utilisateur ont expir\u00E9

1
core/src/main/resources/org/springframework/security/messages_it.properties
View File

@ -1,4 +1,5 @@
AbstractAccessDecisionManager.accessDenied=Accesso negato
AbstractLdapAuthenticationProvider.badCredentials=Credenziali non valide
AbstractSecurityInterceptor.authenticationNotFound=Nessuna autenticazione trovata dentro il Security Context
AbstractUserDetailsAuthenticationProvider.badCredentials=Credenziali non valide
AbstractUserDetailsAuthenticationProvider.credentialsExpired=Credenziali dell'utente scadute

1
core/src/main/resources/org/springframework/security/messages_ko_KR.properties
View File

@ -1,4 +1,5 @@
AbstractAccessDecisionManager.accessDenied=\uC811\uADFC\uC774 \uAC70\uBD80\uB418\uC5C8\uC2B5\uB2C8\uB2E4.
AbstractLdapAuthenticationProvider.badCredentials=\uBE44\uBC00\uBC88\uD638\uAC00 \uB9DE\uC9C0 \uC54A\uC2B5\uB2C8\uB2E4.
AbstractSecurityInterceptor.authenticationNotFound=SecurityContext\uC5D0\uC11C Authentication \uAC1D\uCCB4\uB97C \uCC3E\uC744 \uC218 \uC5C6\uC2B5\uB2C8\uB2E4.
AbstractUserDetailsAuthenticationProvider.badCredentials=\uBE44\uBC00\uBC88\uD638(credential)\uAC00 \uB9DE\uC9C0 \uC54A\uC2B5\uB2C8\uB2E4.
AbstractUserDetailsAuthenticationProvider.credentialsExpired=\uBE44\uBC00\uBC88\uD638(credential)\uC758 \uC720\uD6A8 \uAE30\uAC04\uC774 \uB9CC\uB8CC\uB418\uC5C8\uC2B5\uB2C8\uB2E4.

1
core/src/main/resources/org/springframework/security/messages_lt.properties
View File

@ -1,4 +1,5 @@
AbstractAccessDecisionManager.accessDenied=Pri\u0117jimas neleid\u017eiamas
AbstractLdapAuthenticationProvider.emptyPassword=Tu\u0161\u010dias slapta\u017eodis
AbstractSecurityInterceptor.authenticationNotFound=Authentication objektas nerastas SecurityContext kontekste
AbstractUserDetailsAuthenticationProvider.badCredentials=Blogi kredencialai
AbstractUserDetailsAuthenticationProvider.credentialsExpired=Pasibaig\u0117 vartotojo kredencial\u0173 galiojimas

1
core/src/main/resources/org/springframework/security/messages_pl.properties
View File

@ -1,4 +1,5 @@
AbstractAccessDecisionManager.accessDenied=Dost\u0119p zabroniony
AbstractLdapAuthenticationProvider.emptyPassword=Niepoprawne dane uwierzytelniaj\u0105ce
AbstractSecurityInterceptor.authenticationNotFound=Obiekt Authentication nie zosta\u0142 odnaleziony w SecurityContext
AbstractUserDetailsAuthenticationProvider.badCredentials=Niepoprawne dane uwierzytelniaj\u0105ce
AbstractUserDetailsAuthenticationProvider.credentialsExpired=Wa\u017Cno\u015B\u0107 danych uwierzytelniaj\u0105cych wygas\u0142a

1
core/src/main/resources/org/springframework/security/messages_pt_BR.properties
View File

@ -2,6 +2,7 @@
# Messages in Brazilian Portuguese
# Translation by Leonardo Pinto (leoviveiros@gmail.com)
AbstractAccessDecisionManager.accessDenied=Acesso negado
AbstractLdapAuthenticationProvider.emptyPassword=Usu\u00E1rio inexistente ou senha inv\u00E1lida
AbstractSecurityInterceptor.authenticationNotFound=Um objeto de autentica\u00E7\u00E3o n\u00E3o foi encontrado no SecurityContext
AbstractUserDetailsAuthenticationProvider.badCredentials=Usu\u00E1rio inexistente ou senha inv\u00E1lida
AbstractUserDetailsAuthenticationProvider.credentialsExpired=Credenciais expiradas

1
core/src/main/resources/org/springframework/security/messages_pt_PT.properties
View File

@ -1,6 +1,7 @@
# Spring Security Portuguese Resource Bundle
# Author: José Santos
AbstractAccessDecisionManager.accessDenied=Acesso negado
AbstractLdapAuthenticationProvider.emptyPassword=Credenciais inv\u00E1lidas
AbstractSecurityInterceptor.authenticationNotFound=Objecto Authentication n\u00E3o encontrado em SecurityContext
AbstractUserDetailsAuthenticationProvider.badCredentials=Credenciais inv\u00E1lidas
AbstractUserDetailsAuthenticationProvider.credentialsExpired=As credenciais do utilizador expiraram

1
core/src/main/resources/org/springframework/security/messages_uk_UA.properties
View File

@ -1,4 +1,5 @@
AbstractAccessDecisionManager.accessDenied=\u0414\u043E\u0441\u0442\u0443\u043F \u0437\u0430\u0431\u043E\u0440\u043E\u043D\u0435\u043D\u0438\u0439
AbstractLdapAuthenticationProvider.emptyPassword=\u0414\u0430\u043D\u0456 \u043A\u043E\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0430 \u043D\u0435\u043A\u043E\u0440\u0435\u043A\u0442\u043D\u0456
AbstractSecurityInterceptor.authenticationNotFound=\u041E\u0431'\u0454\u043A\u0442 Authentication \u043D\u0435 \u0437\u043D\u0430\u0439\u0434\u0435\u043D\u0438\u0439 \u0432 SecurityContext
AbstractUserDetailsAuthenticationProvider.badCredentials=\u0414\u0430\u043D\u0456 \u043A\u043E\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0430 \u043D\u0435\u043A\u043E\u0440\u0435\u043A\u0442\u043D\u0456
AbstractUserDetailsAuthenticationProvider.credentialsExpired=\u041F\u043E\u0432\u043D\u043E\u0432\u0430\u0436\u0435\u043D\u043D\u044F \u043A\u043E\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0430 \u0432\u0438\u0447\u0435\u0440\u043F\u0430\u043B\u0438 \u0442\u0435\u0440\u043C\u0456\u043D \u0434\u0456\u0457

1
core/src/main/resources/org/springframework/security/messages_zh_CN.properties
View File

@ -1,4 +1,5 @@
AbstractAccessDecisionManager.accessDenied=\u4E0D\u5141\u8BB8\u8BBF\u95EE
AbstractLdapAuthenticationProvider.emptyPassword=\u574F\u7684\u51ED\u8BC1
AbstractSecurityInterceptor.authenticationNotFound=\u672A\u5728SecurityContext\u4E2D\u67E5\u627E\u5230\u8BA4\u8BC1\u5BF9\u8C61
AbstractUserDetailsAuthenticationProvider.badCredentials=\u574F\u7684\u51ED\u8BC1
AbstractUserDetailsAuthenticationProvider.credentialsExpired=\u7528\u6237\u51ED\u8BC1\u5DF2\u8FC7\u671F

21
ldap/src/main/java/org/springframework/security/ldap/authentication/AbstractLdapAuthenticationProvider.java
View File

@ -1,4 +1,18 @@
package org.springframework.security.ldap.authentication;
/*
* Copyright 2002-2014 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/package org.springframework.security.ldap.authentication;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
@ -56,6 +70,11 @@ public abstract class AbstractLdapAuthenticationProvider implements Authenticati
"Empty Username"));
}
if (!StringUtils.hasLength(password)) {
throw new BadCredentialsException(messages.getMessage("AbstractLdapAuthenticationProvider.emptyPassword",
"Empty Password"));
}
Assert.notNull(password, "Null password was supplied in authentication token");
DirContextOperations userData = doAuthentication(userToken);

8
ldap/src/test/java/org/springframework/security/ldap/authentication/ad/ActiveDirectoryLdapAuthenticationProviderTests.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2012 the original author or authors.
* Copyright 2002-2014 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
@ -143,6 +143,12 @@ public class ActiveDirectoryLdapAuthenticationProviderTests {
provider.authenticate(joe);
}
// SEC-2500
@Test(expected = BadCredentialsException.class)
public void sec2500PreventAnonymousBind() {
provider.authenticate(new UsernamePasswordAuthenticationToken("rwinch", ""));
}
@SuppressWarnings("unchecked")
@Test(expected = IncorrectResultSizeDataAccessException.class)
public void duplicateUserSearchCausesError() throws Exception {