Ondrej Lukas created ELY-850:
--------------------------------
Summary: Elytron ldap-realm allows access with empty password
Key: ELY-850
URL:
https://issues.jboss.org/browse/ELY-850
Project: WildFly Elytron
Issue Type: Bug
Reporter: Ondrej Lukas
Assignee: Darran Lofthouse
Priority: Blocker
An empty password is treated as an anonymous login by some LDAP servers (e.g. by Microsoft
Active Directory). In case when Elytron ldap-realm is configured for that type of LDAP
server then access with empty password to secured web resource guarded by that ldap-realm
is always granted.
There should be some attribute for configuring whether empty password should be accepted
by ldap-realm.
Similar issue occurs in previous versions of application server, see:
*
https://bugzilla.redhat.com/show_bug.cgi?id=901251
*
https://bugzilla.redhat.com/show_bug.cgi?id=885569
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)