What realm are you using? ActiveDirectoryRealm? Are empty passwords allowed by your underlying AD installation for that test user?
The JNDI env map that is built by the LdapContextFactory calls the following line: env.put(Context.SECURITY_CREDENTIALS, credentials); where credentials would be your empty string. If JNDI allows that connection with an empty string, then perhaps 1) this is a JNDI problem or 2) AD allows empty passwords for that username? I'm not sure why that would be the case... Any ideas? Les On Wed, May 18, 2011 at 8:41 AM, Minas Manthos <[email protected]> wrote: > I'm wondering why shiro (v1.1) let me authenticate via AD with emtpy password > > SecurityUtils.getSubject().login(new UsernamePasswordToken("user", > "correctPW", false)); > -> OK (expected) > SecurityUtils.getSubject().login(new UsernamePasswordToken("user", > "wrongPW", false)); > -> FAIL (expected) > SecurityUtils.getSubject().login(new UsernamePasswordToken("user", "", > false)); > -> OK! (why?) > > Same situation with LDAP does not authenticate (as expected)... > > Thanks for feedback
