I added a testcase of sending a null password to the LdapLoginModule and it correctly fails to authenticate the user. Have you tried a simple JNDI test against your server to make sure it it not allowing this? If it does not create a simple war or ear the demonstrates the problem and post it as a bug to sourceforge.
xxxxxxxxxxxxxxxxxxxxxxxx Scott Stark Chief Technology Officer JBoss Group, LLC xxxxxxxxxxxxxxxxxxxxxxxx ----- Original Message ----- From: "Sonnek, Ryan" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, May 24, 2002 11:17 AM Subject: RE: [JBoss-user] LdapLoginModule null password > thanks for the reply, but taking out the principal and credentials from the > auth.conf file didn't change the outcome. when I hit a protected url, I'm > prompted for the username and password, and if I input my username with a > null password, it still let's me in. > > checking the jboss logs, i get this information when i first hit the url : > [DEBUG,LdapLoginModule] Bad password for username=null > which seems to mean that first it tries to access the resource as an > anonymous user, then if that fails, i'm prompted with the dialog box. > > using the jboss 2.4.4 documentation, page 261 says that the > java.naming.security.principal and java.naming.security.credentials > properties are allowed for authenticating the caller to the service. i > thought this was required if you're not allowing anonymous queries and > needed to bind as a user in order to authenticate with the desired username. > > > any other ideas on why this could be happening? > > -----Original Message----- > From: Scott M Stark [mailto:[EMAIL PROTECTED]] > Sent: Friday, May 24, 2002 11:58 AM > To: [EMAIL PROTECTED] > Subject: Re: [JBoss-user] LdapLoginModule null password > > > Because you are supplying the credentials to use in the configuration. > Neither > > java.naming.security.principal="cn=admin,dc=mybpc,dc=net" > > java.naming.security.credentials="xxxxxx" > > should be in the configuration. These are generated based on the caller > principal and credentials, but if you sepecify them and then do not provide > this info you have defined a default login for everyone. Where in the docs > does it say to include these? > > xxxxxxxxxxxxxxxxxxxxxxxx > Scott Stark > Chief Technology Officer > JBoss Group, LLC > xxxxxxxxxxxxxxxxxxxxxxxx > _______________________________________________________________ > > Don't miss the 2002 Sprint PCS Application Developer's Conference > August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm > > _______________________________________________ > JBoss-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/jboss-user > > _______________________________________________________________ > > Don't miss the 2002 Sprint PCS Application Developer's Conference > August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm > > _______________________________________________ > JBoss-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/jboss-user > _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
