From d2ee383e063b6d290690ffdad694d9de6dcc3adb Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Wed, 31 May 2006 18:22:05 +0000 Subject: [PATCH] Changed to reject empty passwords by default. --- .../ldap/LdapAuthenticationProvider.java | 17 +++++++++++++---- .../ldap/LdapAuthenticationProviderTests.java | 17 ++++++++--------- 2 files changed, 21 insertions(+), 13 deletions(-) diff --git a/core/src/main/java/org/acegisecurity/providers/ldap/LdapAuthenticationProvider.java b/core/src/main/java/org/acegisecurity/providers/ldap/LdapAuthenticationProvider.java index 92b5bb9bb4..e4f326eb4b 100644 --- a/core/src/main/java/org/acegisecurity/providers/ldap/LdapAuthenticationProvider.java +++ b/core/src/main/java/org/acegisecurity/providers/ldap/LdapAuthenticationProvider.java @@ -110,8 +110,8 @@ public class LdapAuthenticationProvider extends AbstractUserDetailsAuthenticatio private LdapAuthenticator authenticator; private LdapAuthoritiesPopulator authoritiesPopulator; - /** The provider will reject an authentication request with an empty password if this is set to "true" */ - private boolean allowEmptyPasswords = true; + /** The provider will allow an authentication request with an empty password if this is true */ + private boolean allowEmptyPasswords = false; //~ Constructors =================================================================================================== @@ -136,8 +136,17 @@ public class LdapAuthenticationProvider extends AbstractUserDetailsAuthenticatio /** * Determines whether the provider will reject empty passwords by default. - * This may be useful when using LDAP servers which interpret an empty password as - * anonymous access, even if a (possibly non-existent) principal is supplied. + * LDAP servers may allow an anonymous bind operation with an empty password, even if + * a DN is supplied. In practice this means that if the LDAP directory is configured + * to allow unauthenitcated access, it might be possible to authenticate as any + * user just by supplying an empty password. + *

+ * The use of empty passwords is disabled by default and should only be allowed + * if you have a very good reason. + * More information on the misuse of unauthenticated access can be found in + * + * draft-ietf-ldapbis-authmeth-19.txt + *

*/ public void setAllowEmptyPasswords(boolean allowEmptyPasswords) { this.allowEmptyPasswords = allowEmptyPasswords; diff --git a/core/src/test/java/org/acegisecurity/providers/ldap/LdapAuthenticationProviderTests.java b/core/src/test/java/org/acegisecurity/providers/ldap/LdapAuthenticationProviderTests.java index 4f3170e5c0..ba4c8ac010 100644 --- a/core/src/test/java/org/acegisecurity/providers/ldap/LdapAuthenticationProviderTests.java +++ b/core/src/test/java/org/acegisecurity/providers/ldap/LdapAuthenticationProviderTests.java @@ -86,23 +86,22 @@ public class LdapAuthenticationProviderTests extends TestCase { } catch (BadCredentialsException expected) {} } - public void testEmptyPasswordIsAcceptedByDefault() { + public void testEmptyPasswordIsRejectedByDefault() { LdapAuthenticationProvider ldapProvider = new LdapAuthenticationProvider(new MockAuthenticator(), new MockAuthoritiesPopulator()); - ldapProvider.retrieveUser("jen", new UsernamePasswordAuthenticationToken("jen", "")); - } - - public void testEmptyPasswordIsRejectedWhenFlagIsSet() { - LdapAuthenticationProvider ldapProvider = new LdapAuthenticationProvider(new MockAuthenticator(), - new MockAuthoritiesPopulator()); - ldapProvider.setAllowEmptyPasswords(false); - try { ldapProvider.retrieveUser("jen", new UsernamePasswordAuthenticationToken("jen", "")); fail("Expected BadCredentialsException for empty password"); } catch (BadCredentialsException expected) {} } + public void testEmptyPasswordIsAcceptedWhenFlagIsSet() { + LdapAuthenticationProvider ldapProvider = new LdapAuthenticationProvider(new MockAuthenticator(), + new MockAuthoritiesPopulator()); + ldapProvider.setAllowEmptyPasswords(true); + ldapProvider.retrieveUser("jen", new UsernamePasswordAuthenticationToken("jen", "")); + } + public void testNormalUsage() { LdapAuthenticationProvider ldapProvider = new LdapAuthenticationProvider(new MockAuthenticator(), new MockAuthoritiesPopulator());