Hi Lee, Empty passwords should only be allowed if the backend server allows them. If the server does not allow them, this would be a bug.
Can you please open a Jira issue w/ a simple test case so we can fix this? As an interim fix, you can use Shiro's StringUtils.clean(String in); method to trim to null. If the resulting value is null, throw an exception. Please open a Jira issue - we'll look out for it. Thanks, Les On Wed, Mar 21, 2012 at 1:01 AM, lee yeushian <[email protected]> wrote: > Hi, > > I found out my problems which it similar to the post mention early in the > Shiro User Forum with the title "Authentication with AD/LDAP problem". > > I was using the latest Shiro 1.2.0 > > Here is my problem: > I extend my realm to ActiveDirectoryRealm and I only override > doGetAuthorizationInfo() to provide my roles/permissions from my DB. > > When it comes to Authentication: > Right username with right password, it authenticated. > Right username with wrong password, it failed to authenticated. > BUT.. > Right username with blank password, it AUTHENTICATED as well. > Wrong username with blank password, it AUTHENTICATED as well. > > Summary is as long as the password is blank, it will be get authenticated. > > Any idea about this? > > Best Regards, > Nick
