[JBoss JIRA] (WFLY-7866) Elytron ldap-realm allows access with empty password

Tuesday, 10 January 2017

     [
https://issues.jboss.org/browse/WFLY-7866?page=com.atlassian.jira.plugin....
]

Jan Kalina updated WFLY-7866:
-----------------------------
    Git Pull Request: https://github.com/wildfly-security/elytron-subsystem/pull/357 
(was: https://issues.jboss.org/browse/WFLY-7866)

...
 Elytron ldap-realm allows access with empty password
 ----------------------------------------------------

                 Key: WFLY-7866
                 URL: https://issues.jboss.org/browse/WFLY-7866
             Project: WildFly
          Issue Type: Bug
          Components: Security
            Reporter: Jan Kalina
            Assignee: Jan Kalina
            Priority: Blocker

 An empty password is treated as an anonymous login by some LDAP servers (e.g. by
Microsoft Active Directory). In case when Elytron ldap-realm is configured for that type
of LDAP server then access with empty password to secured web resource guarded by that
ldap-realm is always granted.
 There should be some attribute for configuring whether empty password should be accepted
by ldap-realm.
 Similar issue occurs in previous versions of application server, see:
 * https://bugzilla.redhat.com/show_bug.cgi?id=901251
 * https://bugzilla.redhat.com/show_bug.cgi?id=885569 

--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006