posted 21 years ago
We're using form-based authentication (i.e., web.xml login-page configured as an html form that is posting to action 'j_security_check', etc.) in our app and it has worked pretty well. That is, until we found out that we could leave the password blank and still get to protected URLs with just a valid user name. If we enter an invalid username and/or password, access to protected URLs is denied and the user is redirected to the login-error page, as expected.
We suspect it's either an LDAP setting or a setting in the application server related to container-managed security.
Has anyone encountered this? How did you fix it?
We're running Oracle9iAS and authenticating against LDAP.
TIA