[jira] [Created] (SHIRO-460) Active Directory succeeds even if the user name and password is not passed.

Thu, 19 Sep 2013 10:53:11 -0700 

skis created SHIRO-460:
--------------------------

             Summary: Active Directory succeeds even if  the user name and 
password is not passed.
                 Key: SHIRO-460
                 URL: https://issues.apache.org/jira/browse/SHIRO-460
             Project: Shiro
          Issue Type: Bug
          Components: Authentication (log-in)
    Affects Versions: 1.2.2
         Environment: Windows XP 32-bit; jdk1.7.0_40; maven 3.0.4; glassfish 
application server 3.1.2.2
            Reporter: skis


Here below is how my active directory setup looks like in shiro.ini:

ldapContextFactory = org.apache.shiro.realm.ldap.JndiLdapContextFactory
ldapContextFactory.url = ldap://abc.internal:389/

adRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
adRealm.ldapContextFactory = $ldapContextFactory
adRealm.searchBase = "CN=Configuration,DC=abc,DC=internal"

Servlet Code:

Subject subject = SecurityUtils.getSubject();

String username = request.getParameter("uid");
String password = request.getParameter("pwd");
String rememberMe = request.getParameter("rememberMe");
Boolean flag = false;

if (rememberMe != null && rememberMe.equalsIgnoreCase("on")) {
                flag = true;
}

if (!subject.isAuthenticated()) {
        logger.info("Authenticating user: " + request.getParameter("uid"));
        UsernamePasswordToken token = new UsernamePasswordToken(username,       
password, flag);

        try {                           
                subject.login(token);
        } catch (UnknownAccountException e) {
                logger.info("Unknown user account...");
        } catch (IncorrectCredentialsException e) {
                logger.info("Incorrect credentials...");
        } catch (DisabledAccountException e) {
                logger.info("User account disabled...");
        } catch (AuthenticationException e) {
                logger.info("Authentication Exception...");
        }

Actions performed in login.jsp,
1. With empty username and password field => authentication succeeds - This 
should not happen
2. With empty username and some random password => authentication succeeds - 
This should not happen
3. With non-existent username and some password => authentication fails - This 
is correct
4. With existing username and invalid password => authentication fails - This 
is correct
5. With correct username and password => authentication succeeds - This is 
correct.

Please let me know if you were able to reproduce this issue in your environment 
and what other information would you need.

FYI, The Ldap and Jdbc Realms are working fine except for the ActiveDirectory 
realm.

Thank You

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to