We're using form-based authentication (i.e., web.xml login-page configured as an html form that is posting to action 'j_security_check', etc.) in our app and it has worked pretty well. That is, until we found out that we could leave the password blank and still get to protected URLs with just a valid user name. If we enter an invalid username and/or password, access to protected URLs is denied and the user is redirected to the login-error page, as expected. We suspect it's either an LDAP setting or a setting in the application server related to container-managed security. Has anyone encountered this? How did you fix it? We're running Oracle9iAS and authenticating against LDAP. TIA
ldap allows you to login with just a username. You have to make sure in your client that you validate the input to the password field. Depending on what LDAP you are using, you can also turn off the anonymous user login. Hope that helps!
This is the big reason that I have never advocated BIND style authentication to an LDAP server. The bind (login) doesn't necessarily work like an authenticate command. I used to work on an LDAP/X.500 gateway, and in X.500 if your credentials were not valid you might not know until you actually tried to issue a request where you didn't have access. I don't know what the current LDAP spec says (I've been out of the LDAP game for years) but you shouldn't count on your bind being an authenticator. The only time you should do a BIND using the credentials of the user is when you are using the LDAP servers access control to control access to data that the users are requesting.