[
https://issues.apache.org/jira/browse/SHIRO-460?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13908427#comment-13908427
]
Cservenak, Tamas commented on SHIRO-460:
----------------------------------------
Seems related
http://stackoverflow.com/questions/21391572/shiro-authenticates-non-existent-user-in-ldap
> Active Directory succeeds even if the user name and password is not passed.
> ----------------------------------------------------------------------------
>
> Key: SHIRO-460
> URL: https://issues.apache.org/jira/browse/SHIRO-460
> Project: Shiro
> Issue Type: Bug
> Components: Authentication (log-in)
> Affects Versions: 1.2.2
> Environment: Windows XP 32-bit; jdk1.7.0_40; maven 3.0.4; glassfish
> application server 3.1.2.2
> Reporter: skis
>
> Here below is how my active directory setup looks like in shiro.ini:
> ldapContextFactory = org.apache.shiro.realm.ldap.JndiLdapContextFactory
> ldapContextFactory.url = ldap://abc.internal:389/
> adRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
> adRealm.ldapContextFactory = $ldapContextFactory
> adRealm.searchBase = "CN=Configuration,DC=abc,DC=internal"
> Servlet Code:
> Subject subject = SecurityUtils.getSubject();
> String username = request.getParameter("uid");
> String password = request.getParameter("pwd");
> String rememberMe = request.getParameter("rememberMe");
> Boolean flag = false;
> if (rememberMe != null && rememberMe.equalsIgnoreCase("on")) {
> flag = true;
> }
> if (!subject.isAuthenticated()) {
> logger.info("Authenticating user: " + request.getParameter("uid"));
> UsernamePasswordToken token = new UsernamePasswordToken(username,
> password, flag);
> try {
> subject.login(token);
> } catch (UnknownAccountException e) {
> logger.info("Unknown user account...");
> } catch (IncorrectCredentialsException e) {
> logger.info("Incorrect credentials...");
> } catch (DisabledAccountException e) {
> logger.info("User account disabled...");
> } catch (AuthenticationException e) {
> logger.info("Authentication Exception...");
> }
> Actions performed in login.jsp,
> 1. With empty username and password field => authentication succeeds - This
> should not happen
> 2. With empty username and some random password => authentication succeeds -
> This should not happen
> 3. With non-existent username and some password => authentication fails -
> This is correct
> 4. With existing username and invalid password => authentication fails - This
> is correct
> 5. With correct username and password => authentication succeeds - This is
> correct.
> Please let me know if you were able to reproduce this issue in your
> environment and what other information would you need.
> FYI, The Ldap and Jdbc Realms are working fine except for the ActiveDirectory
> realm.
> Thank You
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
