Changed to reject empty passwords by default.

core/src/main/java/org/acegisecurity/providers/ldap/LdapAuthenticationProvider.java

@@ -110,8 +110,8 @@ public class LdapAuthenticationProvider extends AbstractUserDetailsAuthenticatio
     private LdapAuthenticator authenticator;
     private LdapAuthoritiesPopulator authoritiesPopulator;
 
-    /** The provider will reject an authentication request with an empty password if this is set to "true" */
+    /** The provider will allow an authentication request with an empty password if this is true */
-    private boolean allowEmptyPasswords = true;
+    private boolean allowEmptyPasswords = false;
 
     //~ Constructors ===================================================================================================
 
@@ -136,8 +136,17 @@ public class LdapAuthenticationProvider extends AbstractUserDetailsAuthenticatio
 
     /**
      * Determines whether the provider will reject empty passwords by default.
-     * This may be useful when using LDAP servers which interpret an empty password as
+     * LDAP servers may allow an anonymous bind operation with an empty password, even if
-     * anonymous access, even if a (possibly non-existent) principal is supplied.
+     * a DN is supplied. In practice this means that if the LDAP directory is configured
+     * to allow unauthenitcated access, it might be possible to authenticate as <i>any</i>
+     * user just by supplying an empty password.
+     * <p>
+     * The use of empty passwords is disabled by default and should only be allowed
+     * if you have a very good reason.
+     * More information on the misuse of unauthenticated access can be found in
+     * <a href="http://www.ietf.org/internet-drafts/draft-ietf-ldapbis-authmeth-19.txt">
+     * draft-ietf-ldapbis-authmeth-19.txt</a>
+     * </p>
      */
     public void setAllowEmptyPasswords(boolean allowEmptyPasswords) {
         this.allowEmptyPasswords = allowEmptyPasswords;

core/src/test/java/org/acegisecurity/providers/ldap/LdapAuthenticationProviderTests.java

@@ -86,23 +86,22 @@ public class LdapAuthenticationProviderTests extends TestCase {
         } catch (BadCredentialsException expected) {}
     }
 
-    public void testEmptyPasswordIsAcceptedByDefault() {
+    public void testEmptyPasswordIsRejectedByDefault() {
         LdapAuthenticationProvider ldapProvider = new LdapAuthenticationProvider(new MockAuthenticator(),
                 new MockAuthoritiesPopulator());
-        ldapProvider.retrieveUser("jen", new UsernamePasswordAuthenticationToken("jen", ""));
-    }
-
-    public void testEmptyPasswordIsRejectedWhenFlagIsSet() {
-        LdapAuthenticationProvider ldapProvider = new LdapAuthenticationProvider(new MockAuthenticator(),
-                new MockAuthoritiesPopulator());
-        ldapProvider.setAllowEmptyPasswords(false);
-
         try {
             ldapProvider.retrieveUser("jen", new UsernamePasswordAuthenticationToken("jen", ""));
             fail("Expected BadCredentialsException for empty password");
         } catch (BadCredentialsException expected) {}
     }
 
+    public void testEmptyPasswordIsAcceptedWhenFlagIsSet() {
+        LdapAuthenticationProvider ldapProvider = new LdapAuthenticationProvider(new MockAuthenticator(),
+                new MockAuthoritiesPopulator());
+        ldapProvider.setAllowEmptyPasswords(true);
+        ldapProvider.retrieveUser("jen", new UsernamePasswordAuthenticationToken("jen", ""));
+    }
+
     public void testNormalUsage() {
         LdapAuthenticationProvider ldapProvider = new LdapAuthenticationProvider(new MockAuthenticator(),
                 new MockAuthoritiesPopulator());