[jboss-jira] [JBoss JIRA] (WFLY-7866) Elytron ldap-realm allows access with empty password
Darran Lofthouse (JIRA)
issues at jboss.org
Thu Jan 12 14:03:01 EST 2017
[ https://issues.jboss.org/browse/WFLY-7866?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Darran Lofthouse updated WFLY-7866:
-----------------------------------
Fix Version/s: 11.0.0.Alpha1
> Elytron ldap-realm allows access with empty password
> ----------------------------------------------------
>
> Key: WFLY-7866
> URL: https://issues.jboss.org/browse/WFLY-7866
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Reporter: Jan Kalina
> Assignee: Jan Kalina
> Priority: Blocker
> Fix For: 11.0.0.Alpha1
>
>
> An empty password is treated as an anonymous login by some LDAP servers (e.g. by Microsoft Active Directory). In case when Elytron ldap-realm is configured for that type of LDAP server then access with empty password to secured web resource guarded by that ldap-realm is always granted.
> There should be some attribute for configuring whether empty password should be accepted by ldap-realm.
> Similar issue occurs in previous versions of application server, see:
> * https://bugzilla.redhat.com/show_bug.cgi?id=901251
> * https://bugzilla.redhat.com/show_bug.cgi?id=885569
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list