GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

SEC-1117: Moved check for empty password from LdapAuthenticationProvider to BindAuthenticator to allow use with Ntlm.

3.0.x
Luke Taylor 17 years ago
parent
350f75f7f3
commit
c7baeab172
4 changed files with 18 additions and 20 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 7
      ldap/src/main/java/org/springframework/security/ldap/authentication/BindAuthenticator.java
  2. 6
      ldap/src/main/java/org/springframework/security/ldap/authentication/LdapAuthenticationProvider.java
  3. 19
      ldap/src/test/java/org/springframework/security/ldap/authentication/BindAuthenticatorTests.java
  4. 6
      ldap/src/test/java/org/springframework/security/ldap/authentication/LdapAuthenticationProviderTests.java

7
ldap/src/main/java/org/springframework/security/ldap/authentication/BindAuthenticator.java
Unescape View File

@ -30,6 +30,7 @@ import org.springframework.security.authentication.BadCredentialsException; @@ -30,6 +30,7 @@ import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
/**
@ -68,6 +69,12 @@ public class BindAuthenticator extends AbstractLdapAuthenticator { @@ -68,6 +69,12 @@ public class BindAuthenticator extends AbstractLdapAuthenticator {
String username = authentication.getName();
String password = (String)authentication.getCredentials();
if (!StringUtils.hasLength(password)) {
logger.debug("Rejecting empty password for user " + username);
throw new BadCredentialsException(messages.getMessage("LdapAuthenticationProvider.emptyPassword",
"Empty Password"));
}
// If DN patterns are configured, try authenticating with them directly
for (String dn : getUserDns(username)) {
user = bindWithDn(dn, username, password);

6
ldap/src/main/java/org/springframework/security/ldap/authentication/LdapAuthenticationProvider.java
Unescape View File

@ -246,12 +246,6 @@ public class LdapAuthenticationProvider implements AuthenticationProvider, Messa @@ -246,12 +246,6 @@ public class LdapAuthenticationProvider implements AuthenticationProvider, Messa
String password = (String) authentication.getCredentials();
Assert.notNull(password, "Null password was supplied in authentication token");
if (password.length() == 0) {
logger.debug("Rejecting empty password for user " + username);
throw new BadCredentialsException(messages.getMessage("LdapAuthenticationProvider.emptyPassword",
"Empty Password"));
}
try {
DirContextOperations userData = getAuthenticator().authenticate(authentication);

19
ldap/src/test/java/org/springframework/security/ldap/authentication/BindAuthenticatorTests.java
Unescape View File

@ -15,19 +15,17 @@ @@ -15,19 +15,17 @@
package org.springframework.security.ldap.authentication;
import static org.junit.Assert.*;
import org.junit.Test;
import org.springframework.ldap.core.DirContextAdapter;
import org.springframework.ldap.core.DirContextOperations;
import org.springframework.ldap.core.DistinguishedName;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.SpringSecurityMessageSource;
import org.springframework.security.ldap.AbstractLdapIntegrationTests;
import org.springframework.security.ldap.authentication.BindAuthenticator;
import org.springframework.ldap.core.DirContextAdapter;
import org.springframework.ldap.core.DirContextOperations;
import org.springframework.ldap.core.DistinguishedName;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.fail;
import org.junit.Test;
/**
* Tests for {@link BindAuthenticator}.
@ -53,6 +51,11 @@ public class BindAuthenticatorTests extends AbstractLdapIntegrationTests { @@ -53,6 +51,11 @@ public class BindAuthenticatorTests extends AbstractLdapIntegrationTests {
}
@Test(expected=BadCredentialsException.class)
public void emptyPasswordIsRejected() {
authenticator.authenticate(new UsernamePasswordAuthenticationToken("jen", ""));
}
@Test
public void testAuthenticationWithCorrectPasswordSucceeds() {
authenticator.setUserDnPatterns(new String[] {"uid={0},ou=people"});

6
ldap/src/test/java/org/springframework/security/ldap/authentication/LdapAuthenticationProviderTests.java
Unescape View File

@ -82,12 +82,6 @@ public class LdapAuthenticationProviderTests { @@ -82,12 +82,6 @@ public class LdapAuthenticationProviderTests {
} catch (BadCredentialsException expected) {}
}
@Test(expected=BadCredentialsException.class)
public void emptyPasswordIsRejected() {
LdapAuthenticationProvider ldapProvider = new LdapAuthenticationProvider(new MockAuthenticator());
ldapProvider.authenticate(new UsernamePasswordAuthenticationToken("jen", ""));
}
@Test(expected=BadCredentialsException.class)
public void usernameNotFoundExceptionIsHiddenByDefault() {
final LdapAuthenticator authenticator = jmock.mock(LdapAuthenticator.class);

Write Preview
Loading…
Cancel
Save