SEC-1117: Moved check for empty password from LdapAuthenticationProvider to BindAuthenticator to allow use with Ntlm.
This commit is contained in:
Luke Taylor
parent
350f75f7f3
commit
c7baeab172
|
|
@ -30,6 +30,7 @@ import org.springframework.security.authentication.BadCredentialsException;
|
|||
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.util.Assert;
|
||||
import org.springframework.util.StringUtils;
|
||||
|
||||
|
||||
/**
|
||||
|
|
@ -68,6 +69,12 @@ public class BindAuthenticator extends AbstractLdapAuthenticator {
|
|||
String username = authentication.getName();
|
||||
String password = (String)authentication.getCredentials();
|
||||
|
||||
if (!StringUtils.hasLength(password)) {
|
||||
logger.debug("Rejecting empty password for user " + username);
|
||||
throw new BadCredentialsException(messages.getMessage("LdapAuthenticationProvider.emptyPassword",
|
||||
"Empty Password"));
|
||||
}
|
||||
|
||||
// If DN patterns are configured, try authenticating with them directly
|
||||
for (String dn : getUserDns(username)) {
|
||||
user = bindWithDn(dn, username, password);
|
||||
|
|
|
|||
|
|
@ -246,12 +246,6 @@ public class LdapAuthenticationProvider implements AuthenticationProvider, Messa
|
|||
String password = (String) authentication.getCredentials();
|
||||
Assert.notNull(password, "Null password was supplied in authentication token");
|
||||
|
||||
if (password.length() == 0) {
|
||||
logger.debug("Rejecting empty password for user " + username);
|
||||
throw new BadCredentialsException(messages.getMessage("LdapAuthenticationProvider.emptyPassword",
|
||||
"Empty Password"));
|
||||
}
|
||||
|
||||
try {
|
||||
DirContextOperations userData = getAuthenticator().authenticate(authentication);
|
||||
|
||||
|
|
|
|||
|
|
@ -15,19 +15,17 @@
|
|||
|
||||
package org.springframework.security.ldap.authentication;
|
||||
|
||||
import static org.junit.Assert.*;
|
||||
|
||||
import org.junit.Test;
|
||||
import org.springframework.ldap.core.DirContextAdapter;
|
||||
import org.springframework.ldap.core.DirContextOperations;
|
||||
import org.springframework.ldap.core.DistinguishedName;
|
||||
import org.springframework.security.authentication.BadCredentialsException;
|
||||
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.core.SpringSecurityMessageSource;
|
||||
import org.springframework.security.ldap.AbstractLdapIntegrationTests;
|
||||
import org.springframework.security.ldap.authentication.BindAuthenticator;
|
||||
import org.springframework.ldap.core.DirContextAdapter;
|
||||
import org.springframework.ldap.core.DirContextOperations;
|
||||
import org.springframework.ldap.core.DistinguishedName;
|
||||
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.fail;
|
||||
import org.junit.Test;
|
||||
|
||||
/**
|
||||
* Tests for {@link BindAuthenticator}.
|
||||
|
|
@ -53,6 +51,11 @@ public class BindAuthenticatorTests extends AbstractLdapIntegrationTests {
|
|||
|
||||
}
|
||||
|
||||
@Test(expected=BadCredentialsException.class)
|
||||
public void emptyPasswordIsRejected() {
|
||||
authenticator.authenticate(new UsernamePasswordAuthenticationToken("jen", ""));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testAuthenticationWithCorrectPasswordSucceeds() {
|
||||
authenticator.setUserDnPatterns(new String[] {"uid={0},ou=people"});
|
||||
|
|
|
|||
|
|
@ -82,12 +82,6 @@ public class LdapAuthenticationProviderTests {
|
|||
} catch (BadCredentialsException expected) {}
|
||||
}
|
||||
|
||||
@Test(expected=BadCredentialsException.class)
|
||||
public void emptyPasswordIsRejected() {
|
||||
LdapAuthenticationProvider ldapProvider = new LdapAuthenticationProvider(new MockAuthenticator());
|
||||
ldapProvider.authenticate(new UsernamePasswordAuthenticationToken("jen", ""));
|
||||
}
|
||||
|
||||
@Test(expected=BadCredentialsException.class)
|
||||
public void usernameNotFoundExceptionIsHiddenByDefault() {
|
||||
final LdapAuthenticator authenticator = jmock.mock(LdapAuthenticator.class);
|
||||
|
|
|
|||
Loading…
Reference in New Issue