• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • Liutauras Vilda
  • Jeanne Boyarsky
  • paul wheaton
Sheriffs:
  • Ron McLeod
  • Devaka Cooray
  • Henry Wong
Saloon Keepers:
  • Tim Holloway
  • Stephan van Hulst
  • Carey Brown
  • Tim Moores
  • Mikalai Zaikin
Bartenders:
  • Frits Walraven

Authentication is not requiring password

 
Sheriff
Posts: 17696
300
Mac Android IntelliJ IDE Eclipse IDE Spring Debian Java Ubuntu Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
We're using form-based authentication (i.e., web.xml login-page configured as an html form that is posting to action 'j_security_check', etc.) in our app and it has worked pretty well. That is, until we found out that we could leave the password blank and still get to protected URLs with just a valid user name. If we enter an invalid username and/or password, access to protected URLs is denied and the user is redirected to the login-error page, as expected.
We suspect it's either an LDAP setting or a setting in the application server related to container-managed security.
Has anyone encountered this? How did you fix it?
We're running Oracle9iAS and authenticating against LDAP.
TIA
 
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
ldap allows you to login with just a username. You have to make sure in your client that you validate the input to the password field.
Depending on what LDAP you are using, you can also turn off the anonymous user login.
Hope that helps!
 
Author
Posts: 367
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
This is the big reason that I have never advocated BIND style authentication to an LDAP server. The bind (login) doesn't necessarily work like an authenticate command. I used to work on an LDAP/X.500 gateway, and in X.500 if your credentials were not valid you might not know until you actually tried to issue a request where you didn't have access. I don't know what the current LDAP spec says (I've been out of the LDAP game for years) but you shouldn't count on your bind being an authenticator. The only time you should do a BIND using the credentials of the user is when you are using the LDAP servers access control to control access to data that the users are requesting.
 
Bring me the box labeled "thinking cap" ... and then read this tiny ad:
Gift giving made easy with the permaculture playing cards
https://coderanch.com/t/777758/Gift-giving-easy-permaculture-playing
reply
    Bookmark Topic Watch Topic
  • New Topic