Resolve Issue #649 by checking for null password on a binding ldap authentication

This commit is contained in:
Jesse McConnell 2016-06-17 18:56:41 -05:00
parent fdd1cd1e94
commit 99e1a16d07
1 changed files with 10 additions and 0 deletions

View File

@ -502,7 +502,17 @@ public class LdapLoginModule extends AbstractLoginModule
LOG.info("Attempting authentication: " + userDn);
Hashtable<Object,Object> environment = getEnvironment();
if ( userDn == null || "".equals(userDn) )
{
throw new NamingException("username may not be empty");
}
environment.put(Context.SECURITY_PRINCIPAL, userDn);
// RFC 4513 section 6.3.1, protect against ldap server implementations that allow successful binding on empty passwords
if ( password == null || "".equals(password))
{
throw new NamingException("password may not be empty");
}
environment.put(Context.SECURITY_CREDENTIALS, password);
DirContext dirContext = new InitialDirContext(environment);