Eclipse
/
jetty.project
mirror of https://github.com/jetty/jetty.project.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Resolve Issue #649 by checking for null password on a binding ldap authentication

This commit is contained in:
Jesse McConnell 2016-06-17 18:56:41 -05:00 committed by Joakim Erdfelt
parent 0d74c3ec2c
commit d9d20670fb
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
jetty-jaas/src/main/java/org/eclipse/jetty/jaas/spi/LdapLoginModule.java
View File

@ -480,7 +480,17 @@ public class LdapLoginModule extends AbstractLoginModule
LOG.info("Attempting authentication: " + userDn); LOG.info("Attempting authentication: " + userDn);
Hashtable<Object,Object> environment = getEnvironment(); Hashtable<Object,Object> environment = getEnvironment();
if ( userDn == null || "".equals(userDn) )
{
throw new NamingException("username may not be empty");
}
environment.put(Context.SECURITY_PRINCIPAL, userDn); environment.put(Context.SECURITY_PRINCIPAL, userDn);
// RFC 4513 section 6.3.1, protect against ldap server implementations that allow successful binding on empty passwords
if ( password == null || "".equals(password))
{
throw new NamingException("password may not be empty");
}
environment.put(Context.SECURITY_CREDENTIALS, password); environment.put(Context.SECURITY_CREDENTIALS, password);
DirContext dirContext = new InitialDirContext(environment); DirContext dirContext = new InitialDirContext(environment);