Changed to reject empty passwords by default.

2025-03-09 06:50:05 +00:00 · 2006-05-31 18:22:05 +00:00 · 2006-05-31 18:22:05 +00:00 · d2ee383e06
commit d2ee383e06
parent ee50d6e334
2 changed files with 21 additions and 13 deletions
--- a/core/src/main/java/org/acegisecurity/providers/ldap/LdapAuthenticationProvider.java
+++ b/core/src/main/java/org/acegisecurity/providers/ldap/LdapAuthenticationProvider.java
@ -110,8 +110,8 @@ public class LdapAuthenticationProvider extends AbstractUserDetailsAuthenticatio
    private LdapAuthenticator authenticator;
    private LdapAuthoritiesPopulator authoritiesPopulator;

-    /** The provider will reject an authentication request with an empty password if this is set to "true" */
-    private boolean allowEmptyPasswords = true;
+    /** The provider will allow an authentication request with an empty password if this is true */
+    private boolean allowEmptyPasswords = false;

    //~ Constructors ===================================================================================================

@ -136,8 +136,17 @@ public class LdapAuthenticationProvider extends AbstractUserDetailsAuthenticatio

    /**
     * Determines whether the provider will reject empty passwords by default.
-     * This may be useful when using LDAP servers which interpret an empty password as
-     * anonymous access, even if a (possibly non-existent) principal is supplied.
+     * LDAP servers may allow an anonymous bind operation with an empty password, even if
+     * a DN is supplied. In practice this means that if the LDAP directory is configured
+     * to allow unauthenitcated access, it might be possible to authenticate as <i>any</i>
+     * user just by supplying an empty password.
+     * <p>
+     * The use of empty passwords is disabled by default and should only be allowed
+     * if you have a very good reason.
+     * More information on the misuse of unauthenticated access can be found in
+     * <a href="http://www.ietf.org/internet-drafts/draft-ietf-ldapbis-authmeth-19.txt">
+     * draft-ietf-ldapbis-authmeth-19.txt</a>
+     * </p>
     */
    public void setAllowEmptyPasswords(boolean allowEmptyPasswords) {
        this.allowEmptyPasswords = allowEmptyPasswords;
--- a/core/src/test/java/org/acegisecurity/providers/ldap/LdapAuthenticationProviderTests.java
+++ b/core/src/test/java/org/acegisecurity/providers/ldap/LdapAuthenticationProviderTests.java
@ -86,23 +86,22 @@ public class LdapAuthenticationProviderTests extends TestCase {
        } catch (BadCredentialsException expected) {}
    }

-    public void testEmptyPasswordIsAcceptedByDefault() {
+    public void testEmptyPasswordIsRejectedByDefault() {
        LdapAuthenticationProvider ldapProvider = new LdapAuthenticationProvider(new MockAuthenticator(),
                new MockAuthoritiesPopulator());
-        ldapProvider.retrieveUser("jen", new UsernamePasswordAuthenticationToken("jen", ""));
-    }
-
-    public void testEmptyPasswordIsRejectedWhenFlagIsSet() {
-        LdapAuthenticationProvider ldapProvider = new LdapAuthenticationProvider(new MockAuthenticator(),
-                new MockAuthoritiesPopulator());
-        ldapProvider.setAllowEmptyPasswords(false);
-
        try {
            ldapProvider.retrieveUser("jen", new UsernamePasswordAuthenticationToken("jen", ""));
            fail("Expected BadCredentialsException for empty password");
        } catch (BadCredentialsException expected) {}
    }

+    public void testEmptyPasswordIsAcceptedWhenFlagIsSet() {
+        LdapAuthenticationProvider ldapProvider = new LdapAuthenticationProvider(new MockAuthenticator(),
+                new MockAuthoritiesPopulator());
+        ldapProvider.setAllowEmptyPasswords(true);
+        ldapProvider.retrieveUser("jen", new UsernamePasswordAuthenticationToken("jen", ""));
+    }
+
    public void testNormalUsage() {
        LdapAuthenticationProvider ldapProvider = new LdapAuthenticationProvider(new MockAuthenticator(),
                new MockAuthoritiesPopulator());