SEC-1117: Moved check for empty password from LdapAuthenticationProvider to BindAuthenticator to allow use with Ntlm.

This commit is contained in:
Luke Taylor 2009-04-20 06:08:00 +00:00
parent 350f75f7f3
commit c7baeab172
4 changed files with 18 additions and 20 deletions

View File

@ -30,6 +30,7 @@ import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication; import org.springframework.security.core.Authentication;
import org.springframework.util.Assert; import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
/** /**
@ -68,6 +69,12 @@ public class BindAuthenticator extends AbstractLdapAuthenticator {
String username = authentication.getName(); String username = authentication.getName();
String password = (String)authentication.getCredentials(); String password = (String)authentication.getCredentials();
if (!StringUtils.hasLength(password)) {
logger.debug("Rejecting empty password for user " + username);
throw new BadCredentialsException(messages.getMessage("LdapAuthenticationProvider.emptyPassword",
"Empty Password"));
}
// If DN patterns are configured, try authenticating with them directly // If DN patterns are configured, try authenticating with them directly
for (String dn : getUserDns(username)) { for (String dn : getUserDns(username)) {
user = bindWithDn(dn, username, password); user = bindWithDn(dn, username, password);

View File

@ -246,12 +246,6 @@ public class LdapAuthenticationProvider implements AuthenticationProvider, Messa
String password = (String) authentication.getCredentials(); String password = (String) authentication.getCredentials();
Assert.notNull(password, "Null password was supplied in authentication token"); Assert.notNull(password, "Null password was supplied in authentication token");
if (password.length() == 0) {
logger.debug("Rejecting empty password for user " + username);
throw new BadCredentialsException(messages.getMessage("LdapAuthenticationProvider.emptyPassword",
"Empty Password"));
}
try { try {
DirContextOperations userData = getAuthenticator().authenticate(authentication); DirContextOperations userData = getAuthenticator().authenticate(authentication);

View File

@ -15,19 +15,17 @@
package org.springframework.security.ldap.authentication; package org.springframework.security.ldap.authentication;
import static org.junit.Assert.*;
import org.junit.Test;
import org.springframework.ldap.core.DirContextAdapter;
import org.springframework.ldap.core.DirContextOperations;
import org.springframework.ldap.core.DistinguishedName;
import org.springframework.security.authentication.BadCredentialsException; import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication; import org.springframework.security.core.Authentication;
import org.springframework.security.core.SpringSecurityMessageSource; import org.springframework.security.core.SpringSecurityMessageSource;
import org.springframework.security.ldap.AbstractLdapIntegrationTests; import org.springframework.security.ldap.AbstractLdapIntegrationTests;
import org.springframework.security.ldap.authentication.BindAuthenticator;
import org.springframework.ldap.core.DirContextAdapter;
import org.springframework.ldap.core.DirContextOperations;
import org.springframework.ldap.core.DistinguishedName;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.fail;
import org.junit.Test;
/** /**
* Tests for {@link BindAuthenticator}. * Tests for {@link BindAuthenticator}.
@ -53,6 +51,11 @@ public class BindAuthenticatorTests extends AbstractLdapIntegrationTests {
} }
@Test(expected=BadCredentialsException.class)
public void emptyPasswordIsRejected() {
authenticator.authenticate(new UsernamePasswordAuthenticationToken("jen", ""));
}
@Test @Test
public void testAuthenticationWithCorrectPasswordSucceeds() { public void testAuthenticationWithCorrectPasswordSucceeds() {
authenticator.setUserDnPatterns(new String[] {"uid={0},ou=people"}); authenticator.setUserDnPatterns(new String[] {"uid={0},ou=people"});

View File

@ -82,12 +82,6 @@ public class LdapAuthenticationProviderTests {
} catch (BadCredentialsException expected) {} } catch (BadCredentialsException expected) {}
} }
@Test(expected=BadCredentialsException.class)
public void emptyPasswordIsRejected() {
LdapAuthenticationProvider ldapProvider = new LdapAuthenticationProvider(new MockAuthenticator());
ldapProvider.authenticate(new UsernamePasswordAuthenticationToken("jen", ""));
}
@Test(expected=BadCredentialsException.class) @Test(expected=BadCredentialsException.class)
public void usernameNotFoundExceptionIsHiddenByDefault() { public void usernameNotFoundExceptionIsHiddenByDefault() {
final LdapAuthenticator authenticator = jmock.mock(LdapAuthenticator.class); final LdapAuthenticator authenticator = jmock.mock(LdapAuthenticator.class);