You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@karaf.apache.org by gn...@apache.org on 2014/07/16 14:30:21 UTC
git commit: [KARAF-3119] Do not allow empty passwords by default for
ldap
Repository: karaf
Updated Branches:
refs/heads/master 3dd78cf23 -> 2cb768244
[KARAF-3119] Do not allow empty passwords by default for ldap
Project: http://git-wip-us.apache.org/repos/asf/karaf/repo
Commit: http://git-wip-us.apache.org/repos/asf/karaf/commit/2cb76824
Tree: http://git-wip-us.apache.org/repos/asf/karaf/tree/2cb76824
Diff: http://git-wip-us.apache.org/repos/asf/karaf/diff/2cb76824
Branch: refs/heads/master
Commit: 2cb768244bd396c35367d93c1deaf409e1f5c279
Parents: 3dd78cf
Author: Guillaume Nodet <gn...@gmail.com>
Authored: Wed Jul 16 14:30:11 2014 +0200
Committer: Guillaume Nodet <gn...@gmail.com>
Committed: Wed Jul 16 14:30:11 2014 +0200
----------------------------------------------------------------------
.../jaas/modules/ldap/LDAPLoginModule.java | 9 +++++-
.../jaas/modules/ldap/LdapLoginModuleTest.java | 29 ++++++++++++++++++++
2 files changed, 37 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/karaf/blob/2cb76824/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java
----------------------------------------------------------------------
diff --git a/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java b/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java
index 2c587a8..a5ae1ea 100644
--- a/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java
+++ b/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java
@@ -58,6 +58,7 @@ public class LDAPLoginModule extends AbstractKarafLoginModule {
public final static String ROLE_NAME_ATTRIBUTE = "role.name.attribute";
public final static String ROLE_SEARCH_SUBTREE = "role.search.subtree";
public final static String AUTHENTICATION = "authentication";
+ public final static String ALLOW_EMPTY_PASSWORDS = "allowEmptyPasswords";
public final static String INITIAL_CONTEXT_FACTORY = "initial.context.factory";
public final static String SSL = "ssl";
public final static String SSL_PROVIDER = "ssl.provider";
@@ -81,6 +82,7 @@ public class LDAPLoginModule extends AbstractKarafLoginModule {
private String roleNameAttribute;
private boolean roleSearchSubtree = true;
private String authentication = DEFAULT_AUTHENTICATION;
+ private boolean allowEmptyPasswords = false;
private String initialContextFactory = null;
private boolean ssl;
private String sslProvider;
@@ -111,6 +113,7 @@ public class LDAPLoginModule extends AbstractKarafLoginModule {
if (authentication == null) {
authentication = DEFAULT_AUTHENTICATION;
}
+ allowEmptyPasswords = Boolean.parseBoolean((String) options.get(ALLOW_EMPTY_PASSWORDS));
if (connectionURL == null || connectionURL.trim().length() == 0) {
logger.error("No LDAP URL specified.");
} else if (!connectionURL.startsWith("ldap:") && !connectionURL.startsWith("ldaps:")) {
@@ -168,7 +171,11 @@ public class LDAPLoginModule extends AbstractKarafLoginModule {
// default to simple so that the provided user/password will get checked
authentication = "simple";
}
-
+ if (!"none".equals(authentication) && !allowEmptyPasswords
+ && (tmpPassword == null || tmpPassword.length ==0)) {
+ throw new LoginException("Empty passwords not allowed");
+ }
+
if (tmpPassword == null) {
tmpPassword = new char[0];
}
http://git-wip-us.apache.org/repos/asf/karaf/blob/2cb76824/jaas/modules/src/test/java/org/apache/karaf/jaas/modules/ldap/LdapLoginModuleTest.java
----------------------------------------------------------------------
diff --git a/jaas/modules/src/test/java/org/apache/karaf/jaas/modules/ldap/LdapLoginModuleTest.java b/jaas/modules/src/test/java/org/apache/karaf/jaas/modules/ldap/LdapLoginModuleTest.java
index 01135b0..faf0340 100644
--- a/jaas/modules/src/test/java/org/apache/karaf/jaas/modules/ldap/LdapLoginModuleTest.java
+++ b/jaas/modules/src/test/java/org/apache/karaf/jaas/modules/ldap/LdapLoginModuleTest.java
@@ -31,6 +31,7 @@ import org.junit.runner.RunWith;
import javax.security.auth.Subject;
import javax.security.auth.callback.*;
+import javax.security.auth.login.LoginException;
import java.io.File;
import java.io.IOException;
@@ -38,6 +39,7 @@ import java.security.Principal;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
@RunWith ( FrameworkRunner.class )
@@ -181,5 +183,32 @@ public class LdapLoginModuleTest extends AbstractLdapTestUnit {
assertEquals("Precondition", 0, subject.getPrincipals().size());
assertFalse(module.login());
}
+
+ @Test
+ public void testEmptyPassword() throws Exception {
+ Properties options = ldapLoginModuleOptions();
+ LDAPLoginModule module = new LDAPLoginModule();
+ CallbackHandler cb = new CallbackHandler() {
+ public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
+ for (Callback cb : callbacks) {
+ if (cb instanceof NameCallback) {
+ ((NameCallback) cb).setName("imnothere");
+ } else if (cb instanceof PasswordCallback) {
+ ((PasswordCallback) cb).setPassword("".toCharArray());
+ }
+ }
+ }
+ };
+ Subject subject = new Subject();
+ module.initialize(subject, cb, null, options);
+
+ assertEquals("Precondition", 0, subject.getPrincipals().size());
+ try {
+ module.login();
+ fail("Should have failed");
+ } catch (LoginException e) {
+ assertTrue(e.getMessage().equals("Empty passwords not allowed"));
+ }
+ }
}
\ No newline at end of file