From 99e1a16d07bb0ac240583fe533244c0d31e11c09 Mon Sep 17 00:00:00 2001
From: Jesse McConnell <jesse.mcconnell@gmail.com>
Date: Fri, 17 Jun 2016 18:56:41 -0500
Subject: [PATCH] Resolve Issue #649 by checking for null password on a binding
 ldap authentication

---
 .../org/eclipse/jetty/jaas/spi/LdapLoginModule.java    | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/jetty-jaas/src/main/java/org/eclipse/jetty/jaas/spi/LdapLoginModule.java b/jetty-jaas/src/main/java/org/eclipse/jetty/jaas/spi/LdapLoginModule.java
index 11e2d3314cf..c5bf5b51bb4 100644
--- a/jetty-jaas/src/main/java/org/eclipse/jetty/jaas/spi/LdapLoginModule.java
+++ b/jetty-jaas/src/main/java/org/eclipse/jetty/jaas/spi/LdapLoginModule.java
@@ -502,7 +502,17 @@ public class LdapLoginModule extends AbstractLoginModule
         LOG.info("Attempting authentication: " + userDn);
 
         Hashtable<Object,Object> environment = getEnvironment();
+
+        if ( userDn == null || "".equals(userDn) )
+        {
+            throw new NamingException("username may not be empty");
+        }
         environment.put(Context.SECURITY_PRINCIPAL, userDn);
+        // RFC 4513 section 6.3.1, protect against ldap server implementations that allow successful binding on empty passwords
+        if ( password == null || "".equals(password))
+        {
+            throw new NamingException("password may not be empty");
+        }
         environment.put(Context.SECURITY_CREDENTIALS, password);
 
         DirContext dirContext = new InitialDirContext(environment);