SEC-1117: Moved check for empty password from LdapAuthenticationProvider to BindAuthenticator to allow use with Ntlm.
This commit is contained in:
parent
350f75f7f3
commit
c7baeab172
|
@ -30,6 +30,7 @@ import org.springframework.security.authentication.BadCredentialsException;
|
||||||
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
|
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
|
||||||
import org.springframework.security.core.Authentication;
|
import org.springframework.security.core.Authentication;
|
||||||
import org.springframework.util.Assert;
|
import org.springframework.util.Assert;
|
||||||
|
import org.springframework.util.StringUtils;
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -68,6 +69,12 @@ public class BindAuthenticator extends AbstractLdapAuthenticator {
|
||||||
String username = authentication.getName();
|
String username = authentication.getName();
|
||||||
String password = (String)authentication.getCredentials();
|
String password = (String)authentication.getCredentials();
|
||||||
|
|
||||||
|
if (!StringUtils.hasLength(password)) {
|
||||||
|
logger.debug("Rejecting empty password for user " + username);
|
||||||
|
throw new BadCredentialsException(messages.getMessage("LdapAuthenticationProvider.emptyPassword",
|
||||||
|
"Empty Password"));
|
||||||
|
}
|
||||||
|
|
||||||
// If DN patterns are configured, try authenticating with them directly
|
// If DN patterns are configured, try authenticating with them directly
|
||||||
for (String dn : getUserDns(username)) {
|
for (String dn : getUserDns(username)) {
|
||||||
user = bindWithDn(dn, username, password);
|
user = bindWithDn(dn, username, password);
|
||||||
|
|
|
@ -246,12 +246,6 @@ public class LdapAuthenticationProvider implements AuthenticationProvider, Messa
|
||||||
String password = (String) authentication.getCredentials();
|
String password = (String) authentication.getCredentials();
|
||||||
Assert.notNull(password, "Null password was supplied in authentication token");
|
Assert.notNull(password, "Null password was supplied in authentication token");
|
||||||
|
|
||||||
if (password.length() == 0) {
|
|
||||||
logger.debug("Rejecting empty password for user " + username);
|
|
||||||
throw new BadCredentialsException(messages.getMessage("LdapAuthenticationProvider.emptyPassword",
|
|
||||||
"Empty Password"));
|
|
||||||
}
|
|
||||||
|
|
||||||
try {
|
try {
|
||||||
DirContextOperations userData = getAuthenticator().authenticate(authentication);
|
DirContextOperations userData = getAuthenticator().authenticate(authentication);
|
||||||
|
|
||||||
|
|
|
@ -15,19 +15,17 @@
|
||||||
|
|
||||||
package org.springframework.security.ldap.authentication;
|
package org.springframework.security.ldap.authentication;
|
||||||
|
|
||||||
|
import static org.junit.Assert.*;
|
||||||
|
|
||||||
|
import org.junit.Test;
|
||||||
|
import org.springframework.ldap.core.DirContextAdapter;
|
||||||
|
import org.springframework.ldap.core.DirContextOperations;
|
||||||
|
import org.springframework.ldap.core.DistinguishedName;
|
||||||
import org.springframework.security.authentication.BadCredentialsException;
|
import org.springframework.security.authentication.BadCredentialsException;
|
||||||
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
|
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
|
||||||
import org.springframework.security.core.Authentication;
|
import org.springframework.security.core.Authentication;
|
||||||
import org.springframework.security.core.SpringSecurityMessageSource;
|
import org.springframework.security.core.SpringSecurityMessageSource;
|
||||||
import org.springframework.security.ldap.AbstractLdapIntegrationTests;
|
import org.springframework.security.ldap.AbstractLdapIntegrationTests;
|
||||||
import org.springframework.security.ldap.authentication.BindAuthenticator;
|
|
||||||
import org.springframework.ldap.core.DirContextAdapter;
|
|
||||||
import org.springframework.ldap.core.DirContextOperations;
|
|
||||||
import org.springframework.ldap.core.DistinguishedName;
|
|
||||||
|
|
||||||
import static org.junit.Assert.assertEquals;
|
|
||||||
import static org.junit.Assert.fail;
|
|
||||||
import org.junit.Test;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Tests for {@link BindAuthenticator}.
|
* Tests for {@link BindAuthenticator}.
|
||||||
|
@ -53,6 +51,11 @@ public class BindAuthenticatorTests extends AbstractLdapIntegrationTests {
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test(expected=BadCredentialsException.class)
|
||||||
|
public void emptyPasswordIsRejected() {
|
||||||
|
authenticator.authenticate(new UsernamePasswordAuthenticationToken("jen", ""));
|
||||||
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testAuthenticationWithCorrectPasswordSucceeds() {
|
public void testAuthenticationWithCorrectPasswordSucceeds() {
|
||||||
authenticator.setUserDnPatterns(new String[] {"uid={0},ou=people"});
|
authenticator.setUserDnPatterns(new String[] {"uid={0},ou=people"});
|
||||||
|
|
|
@ -82,12 +82,6 @@ public class LdapAuthenticationProviderTests {
|
||||||
} catch (BadCredentialsException expected) {}
|
} catch (BadCredentialsException expected) {}
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test(expected=BadCredentialsException.class)
|
|
||||||
public void emptyPasswordIsRejected() {
|
|
||||||
LdapAuthenticationProvider ldapProvider = new LdapAuthenticationProvider(new MockAuthenticator());
|
|
||||||
ldapProvider.authenticate(new UsernamePasswordAuthenticationToken("jen", ""));
|
|
||||||
}
|
|
||||||
|
|
||||||
@Test(expected=BadCredentialsException.class)
|
@Test(expected=BadCredentialsException.class)
|
||||||
public void usernameNotFoundExceptionIsHiddenByDefault() {
|
public void usernameNotFoundExceptionIsHiddenByDefault() {
|
||||||
final LdapAuthenticator authenticator = jmock.mock(LdapAuthenticator.class);
|
final LdapAuthenticator authenticator = jmock.mock(LdapAuthenticator.class);
|
||||||
|
|
Loading…
Reference in New Issue