You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "Matthaus Owens (JIRA)" <ji...@apache.org> on 2014/09/17 02:05:34 UTC
[jira] [Comment Edited] (SHIRO-460) Active Directory succeeds even
if the user name and password is not passed.
[ https://issues.apache.org/jira/browse/SHIRO-460?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14136514#comment-14136514 ]
Matthaus Owens edited comment on SHIRO-460 at 9/17/14 12:04 AM:
----------------------------------------------------------------
This was listed as fixed in the release announcement for 1.2.3. Is that accurate?
was (Author: matthaus):
This was listed as fixed in 1.2.3. Is that accurate?
> Active Directory succeeds even if the user name and password is not passed.
> ----------------------------------------------------------------------------
>
> Key: SHIRO-460
> URL: https://issues.apache.org/jira/browse/SHIRO-460
> Project: Shiro
> Issue Type: Bug
> Components: Authentication (log-in)
> Affects Versions: 1.2.2
> Environment: Windows XP 32-bit; jdk1.7.0_40; maven 3.0.4; glassfish application server 3.1.2.2
> Reporter: skis
>
> Here below is how my active directory setup looks like in shiro.ini:
> ldapContextFactory = org.apache.shiro.realm.ldap.JndiLdapContextFactory
> ldapContextFactory.url = ldap://abc.internal:389/
> adRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
> adRealm.ldapContextFactory = $ldapContextFactory
> adRealm.searchBase = "CN=Configuration,DC=abc,DC=internal"
> Servlet Code:
> Subject subject = SecurityUtils.getSubject();
> String username = request.getParameter("uid");
> String password = request.getParameter("pwd");
> String rememberMe = request.getParameter("rememberMe");
> Boolean flag = false;
> if (rememberMe != null && rememberMe.equalsIgnoreCase("on")) {
> flag = true;
> }
> if (!subject.isAuthenticated()) {
> logger.info("Authenticating user: " + request.getParameter("uid"));
> UsernamePasswordToken token = new UsernamePasswordToken(username, password, flag);
> try {
> subject.login(token);
> } catch (UnknownAccountException e) {
> logger.info("Unknown user account...");
> } catch (IncorrectCredentialsException e) {
> logger.info("Incorrect credentials...");
> } catch (DisabledAccountException e) {
> logger.info("User account disabled...");
> } catch (AuthenticationException e) {
> logger.info("Authentication Exception...");
> }
> Actions performed in login.jsp,
> 1. With empty username and password field => authentication succeeds - This should not happen
> 2. With empty username and some random password => authentication succeeds - This should not happen
> 3. With non-existent username and some password => authentication fails - This is correct
> 4. With existing username and invalid password => authentication fails - This is correct
> 5. With correct username and password => authentication succeeds - This is correct.
> Please let me know if you were able to reproduce this issue in your environment and what other information would you need.
> FYI, The Ldap and Jdbc Realms are working fine except for the ActiveDirectory realm.
> Thank You
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)