GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

SEC-284: Removed allowEmptyPassword flag..

1.0.x
Luke Taylor 20 years ago
parent
d2ee383e06
commit
5d7a75a421
2 changed files with 15 additions and 35 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 38
      core/src/main/java/org/acegisecurity/providers/ldap/LdapAuthenticationProvider.java
  2. 12
      core/src/test/java/org/acegisecurity/providers/ldap/LdapAuthenticationProviderTests.java

38
core/src/main/java/org/acegisecurity/providers/ldap/LdapAuthenticationProvider.java
Unescape View File

@ -41,7 +41,7 @@ import org.springframework.util.StringUtils; @@ -41,7 +41,7 @@ import org.springframework.util.StringUtils;
* its responsibilites to two separate strategy interfaces, {@link LdapAuthenticator}
* and {@link LdapAuthoritiesPopulator}.</p>
*
* <h3>LdapAuthenticator</h3>
* <h3>LdapAuthenticator</h3>
* This interface is responsible for performing the user authentication and retrieving
* the user's information from the directory. Example implementations are {@link
* org.acegisecurity.providers.ldap.authenticator.BindAuthenticator BindAuthenticator} which authenticates the user by
@ -52,7 +52,7 @@ import org.springframework.util.StringUtils; @@ -52,7 +52,7 @@ import org.springframework.util.StringUtils;
* attributes may depend on the type of authentication being used; for example, if binding as the user, it may be
* necessary to read them with the user's own permissions (using the same context used for the bind operation).</p>
*
* <h3>LdapAuthoritiesPopulator</h3>
* <h3>LdapAuthoritiesPopulator</h3>
* Once the user has been authenticated, this interface is called to obtain the set of granted authorities for the
* user.
* The
@ -63,7 +63,7 @@ import org.springframework.util.StringUtils; @@ -63,7 +63,7 @@ import org.springframework.util.StringUtils;
* <p>A custom implementation could obtain the roles from a completely different source, for example from a database.
* </p>
*
* <h3>Configuration</h3>A simple configuration might be as follows:
* <h3>Configuration</h3>A simple configuration might be as follows:
* <pre>
* &lt;bean id="initialDirContextFactory" class="org.acegisecurity.providers.ldap.DefaultInitialDirContextFactory">
* &lt;constructor-arg value="ldap://monkeymachine:389/dc=acegisecurity,dc=org"/>
@ -93,6 +93,15 @@ import org.springframework.util.StringUtils; @@ -93,6 +93,15 @@ import org.springframework.util.StringUtils;
* authentication, roles will be assigned to the user by searching under the DN
* <tt>ou=groups,dc=acegisecurity,dc=org</tt> with the default filter <tt>(member=&lt;user's-DN&gt;)</tt>. The role
* name will be taken from the "ou" attribute of each match.</p>
* <p>
* The authenticate method will reject empty passwords outright. LDAP servers may allow an anonymous
* bind operation with an empty password, even if a DN is supplied. In practice this means that if
* the LDAP directory is configured to allow unauthenitcated access, it might be possible to
* authenticate as <i>any</i> user just by supplying an empty password.
* More information on the misuse of unauthenticated access can be found in
* <a href="http://www.ietf.org/internet-drafts/draft-ietf-ldapbis-authmeth-19.txt">
* draft-ietf-ldapbis-authmeth-19.txt</a>.
* </p>
*
* @author Luke Taylor
* @version $Id$
@ -110,9 +119,6 @@ public class LdapAuthenticationProvider extends AbstractUserDetailsAuthenticatio @@ -110,9 +119,6 @@ public class LdapAuthenticationProvider extends AbstractUserDetailsAuthenticatio
private LdapAuthenticator authenticator;
private LdapAuthoritiesPopulator authoritiesPopulator;
/** The provider will allow an authentication request with an empty password if this is true */
private boolean allowEmptyPasswords = false;
//~ Constructors ===================================================================================================
public LdapAuthenticationProvider(LdapAuthenticator authenticator, LdapAuthoritiesPopulator authoritiesPopulator) {
@ -134,24 +140,6 @@ public class LdapAuthenticationProvider extends AbstractUserDetailsAuthenticatio @@ -134,24 +140,6 @@ public class LdapAuthenticationProvider extends AbstractUserDetailsAuthenticatio
}
}
/**
* Determines whether the provider will reject empty passwords by default.
* LDAP servers may allow an anonymous bind operation with an empty password, even if
* a DN is supplied. In practice this means that if the LDAP directory is configured
* to allow unauthenitcated access, it might be possible to authenticate as <i>any</i>
* user just by supplying an empty password.
* <p>
* The use of empty passwords is disabled by default and should only be allowed
* if you have a very good reason.
* More information on the misuse of unauthenticated access can be found in
* <a href="http://www.ietf.org/internet-drafts/draft-ietf-ldapbis-authmeth-19.txt">
* draft-ietf-ldapbis-authmeth-19.txt</a>
* </p>
*/
public void setAllowEmptyPasswords(boolean allowEmptyPasswords) {
this.allowEmptyPasswords = allowEmptyPasswords;
}
/**
* Creates the final <tt>UserDetails</tt> object that will be returned by the provider once the user has
* been authenticated.<p>The <tt>LdapAuthoritiesPopulator</tt> will be used to create the granted
@ -198,7 +186,7 @@ public class LdapAuthenticationProvider extends AbstractUserDetailsAuthenticatio @@ -198,7 +186,7 @@ public class LdapAuthenticationProvider extends AbstractUserDetailsAuthenticatio
String password = (String) authentication.getCredentials();
Assert.notNull(password, "Null password was supplied in authentication token");
if(!allowEmptyPasswords && password.length() == 0) {
if (password.length() == 0) {
logger.debug("Rejecting empty password for user " + username);
throw new BadCredentialsException(messages.getMessage("LdapAuthenticationProvider.emptyPassword",
"Empty Password"));

12
core/src/test/java/org/acegisecurity/providers/ldap/LdapAuthenticationProviderTests.java
Unescape View File

@ -34,8 +34,7 @@ import javax.naming.directory.BasicAttributes; @@ -34,8 +34,7 @@ import javax.naming.directory.BasicAttributes;
/**
*
DOCUMENT ME!
* Tests {@link LdapAuthenticationProvider}.
*
* @author Luke Taylor
* @version $Id$
@ -86,7 +85,7 @@ public class LdapAuthenticationProviderTests extends TestCase { @@ -86,7 +85,7 @@ public class LdapAuthenticationProviderTests extends TestCase {
} catch (BadCredentialsException expected) {}
}
public void testEmptyPasswordIsRejectedByDefault() {
public void testEmptyPasswordIsRejected() {
LdapAuthenticationProvider ldapProvider = new LdapAuthenticationProvider(new MockAuthenticator(),
new MockAuthoritiesPopulator());
try {
@ -95,13 +94,6 @@ public class LdapAuthenticationProviderTests extends TestCase { @@ -95,13 +94,6 @@ public class LdapAuthenticationProviderTests extends TestCase {
} catch (BadCredentialsException expected) {}
}
public void testEmptyPasswordIsAcceptedWhenFlagIsSet() {
LdapAuthenticationProvider ldapProvider = new LdapAuthenticationProvider(new MockAuthenticator(),
new MockAuthoritiesPopulator());
ldapProvider.setAllowEmptyPasswords(true);
ldapProvider.retrieveUser("jen", new UsernamePasswordAuthenticationToken("jen", ""));
}
public void testNormalUsage() {
LdapAuthenticationProvider ldapProvider = new LdapAuthenticationProvider(new MockAuthenticator(),
new MockAuthoritiesPopulator());

Write Preview
Loading…
Cancel
Save