Elytron ldap-realm allows access with empty password ---------------------------------------------------- Key: ELY-850 URL: https://issues.jboss.org/browse/ELY-850 Project: WildFly Elytron Issue Type: Bug Components: Realms Affects Versions: 1.1.0.Beta17 Reporter: Ondrej Lukas Assignee: Darran Lofthouse Priority: Blocker An empty password is treated as an anonymous login by some LDAP servers (e.g. by Microsoft Active Directory). In case when Elytron ldap-realm is configured for that type of LDAP server then access with empty password to secured web resource guarded by that ldap-realm is always granted. There should be some attribute for configuring whether empty password should be accepted by ldap-realm. Similar issue occurs in previous versions of application server, see: * https://bugzilla.redhat.com/show_bug.cgi?id=901251 * https://bugzilla.redhat.com/show_bug.cgi?id=885569