Win a copy of Think Java: How to Think Like a Computer Scientist this week in the Java in General forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Authentication is not requiring password

 
Junilu Lacar
Bartender
Posts: 7466
50
Android Eclipse IDE IntelliJ IDE Java Linux Mac Scala Spring Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
We're using form-based authentication (i.e., web.xml login-page configured as an html form that is posting to action 'j_security_check', etc.) in our app and it has worked pretty well. That is, until we found out that we could leave the password blank and still get to protected URLs with just a valid user name. If we enter an invalid username and/or password, access to protected URLs is denied and the user is redirected to the login-error page, as expected.
We suspect it's either an LDAP setting or a setting in the application server related to container-managed security.
Has anyone encountered this? How did you fix it?
We're running Oracle9iAS and authenticating against LDAP.
TIA
 
MK Shikarpuri
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
ldap allows you to login with just a username. You have to make sure in your client that you validate the input to the password field.
Depending on what LDAP you are using, you can also turn off the anonymous user login.
Hope that helps!
 
norman richards
Author
Ranch Hand
Posts: 367
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This is the big reason that I have never advocated BIND style authentication to an LDAP server. The bind (login) doesn't necessarily work like an authenticate command. I used to work on an LDAP/X.500 gateway, and in X.500 if your credentials were not valid you might not know until you actually tried to issue a request where you didn't have access. I don't know what the current LDAP spec says (I've been out of the LDAP game for years) but you shouldn't count on your bind being an authenticator. The only time you should do a BIND using the credentials of the user is when you are using the LDAP servers access control to control access to data that the users are requesting.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic