It's not a secret anymore!
The moose likes Security and the fly likes Authentication is not requiring password Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "Authentication is not requiring password" Watch "Authentication is not requiring password" New topic

Authentication is not requiring password

Junilu Lacar

Joined: Feb 26, 2001
Posts: 6529

We're using form-based authentication (i.e., web.xml login-page configured as an html form that is posting to action 'j_security_check', etc.) in our app and it has worked pretty well. That is, until we found out that we could leave the password blank and still get to protected URLs with just a valid user name. If we enter an invalid username and/or password, access to protected URLs is denied and the user is redirected to the login-error page, as expected.
We suspect it's either an LDAP setting or a setting in the application server related to container-managed security.
Has anyone encountered this? How did you fix it?
We're running Oracle9iAS and authenticating against LDAP.

Junilu - [How to Ask Questions] [How to Answer Questions]
MK Shikarpuri

Joined: Jan 21, 2004
Posts: 9
ldap allows you to login with just a username. You have to make sure in your client that you validate the input to the password field.
Depending on what LDAP you are using, you can also turn off the anonymous user login.
Hope that helps!
norman richards
Ranch Hand

Joined: Jul 21, 2003
Posts: 367
This is the big reason that I have never advocated BIND style authentication to an LDAP server. The bind (login) doesn't necessarily work like an authenticate command. I used to work on an LDAP/X.500 gateway, and in X.500 if your credentials were not valid you might not know until you actually tried to issue a request where you didn't have access. I don't know what the current LDAP spec says (I've been out of the LDAP game for years) but you shouldn't count on your bind being an authenticator. The only time you should do a BIND using the credentials of the user is when you are using the LDAP servers access control to control access to data that the users are requesting.
I agree. Here's the link:
subject: Authentication is not requiring password
It's not a secret anymore!