Bugs item #627405, was opened at 2002-10-23 13:51
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=376685&aid=627405&group_id=22866
Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Erik Konijnenburg (konijnenburg)
Assigned to: Nobody/Anonymous (nobody)
Summary: LdapLoginModule accepts empty password
Initial Comment:
Hi there,
When i login on my web site (i am using forms) using
the LdapLoginModule I don't have to supply a password
to login The LDAP server (netscape directory server
4.12) seems to allow for anonymous authentication.
Using the right password authenticates the user, using a
wrong password (except empty) doesnot.
<application-policy name = "LDAPRealm">
<authentication>
<login-module code
= "org.jboss.security.auth.spi.LdapLoginModule" flag
= "required">
<module-option
name="java.naming.factory.initial">com.sun.jndi.ldap.Lda
pCtxFactory</module-option>
<module-option
name="java.naming.provider.url">ldap://NLRTMWS001:3
89/</module-option>
<module-option
name="java.naming.security.authentication">simple</mo
dule-option>
<module-option
name="principalDNPrefix">cn=</module-option>
<module-option
name="principalDNSuffix">,cn=basic,cn=Signons,cn=def
ault,cn=Authentication Data,o=sdfsadf,c=NL</module-
option>
<!-- <module-option
name="userRolesCtxDNAttributeName">authid</module-
option> -->
<module-option
name="uidAttributeID">authbasicsignonlist</module-
option>
<module-option
name="roleAttributeID">authuserclasslist</module-
option>
<module-option
name="rolesCtxDN">cn=Users,cn=default,cn=Authentic
ation Data,o=vopakwst,c=nl</module-option>
<!-- <module-option
name="hashAlgorithm">SHA-1</module-option>
<module-option
name="hashEncoding">base64</module-option> -->
</login-module>
</authentication>
</application-policy>
----------------------------------------------------------------------
>Comment By: Erik Konijnenburg (konijnenburg)
Date: 2002-10-23 14:27
Message:
Logged In: YES
user_id=522939
A possible patch is:
protected boolean validatePassword(String inputPassword,
String expectedPassword)
{
boolean isValid = false;
if( inputPassword != null && inputPassword.length() > 0 )
{
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Even better make this an option
----------------------------------------------------------------------
Comment By: Erik Konijnenburg (konijnenburg)
Date: 2002-10-23 14:26
Message:
Logged In: YES
user_id=522939
A possible patch is:
protected boolean validatePassword(String inputPassword,
String expectedPassword)
{
boolean isValid = false;
if( inputPassword != null && inputPassword.length() > 0 )
{
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Even better make this an option
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=376685&aid=627405&group_id=22866
-------------------------------------------------------
This sf.net emial is sponsored by: Influence the future
of Java(TM) technology. Join the Java Community
Process(SM) (JCP(SM)) program now.
http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0002en
_______________________________________________
Jboss-development mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-development
