[jboss-jira] [JBoss JIRA] Closed: (JBAS-3783) LdapLoginModule allows access when JUST the username is entered (NO Password entered).

Scott M Stark (JIRA) jira-events at jboss.com
Sun Oct 29 08:40:41 EST 2006 

     [ http://jira.jboss.com/jira/browse/JBAS-3783?page=all ]

Scott M Stark closed JBAS-3783.
-------------------------------

    Resolution: Rejected

If your ldap server allows this and you want it disabled using the allowEmptyPasswords login module option:

allowEmptyPasswords : A flag indicating if empty(length==0) passwords should be passed to the ldap server. An empty password is treated as an anonymous login by some ldap servers and this may not be a desirable feature. Set this to false to reject empty passwords, true to have the ldap server validate the empty password. The default is true.

http://wiki.jboss.org/wiki/Wiki.jsp?page=LdapExtLoginModule
http://wiki.jboss.org/wiki/Wiki.jsp?page=LdapLoginModule

> LdapLoginModule allows access when JUST the username is entered (NO Password entered).
> --------------------------------------------------------------------------------------
>
>                 Key: JBAS-3783
>                 URL: http://jira.jboss.com/jira/browse/JBAS-3783
>             Project: JBoss Application Server
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Security
>    Affects Versions: JBossAS-4.0.3 Final, JBossAS-4.0.4.GA
>         Environment: This issue is was tested and is known to be present in Linux and SUN platforms.  
>            Reporter: Mark Burgeson
>         Assigned To: Scott M Stark
>
> LdapLoginModule is enabled for LDAP Group authentication.   
> As expected, access is allowed when a valid username/password is supplied and the user belongs to the LDAP group. 
> In addition, access is allowed when JUST the username is entered, without the password, and the user belongs to the LDAP group.    This appears to be a bug.  

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list