You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "Cservenak, Tamas (JIRA)" <ji...@apache.org> on 2014/02/21 16:21:21 UTC

[jira] [Commented] (SHIRO-460) Active Directory succeeds even if the user name and password is not passed.

    [ https://issues.apache.org/jira/browse/SHIRO-460?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13908427#comment-13908427 ] 

Cservenak, Tamas commented on SHIRO-460:
----------------------------------------

Seems related
http://stackoverflow.com/questions/21391572/shiro-authenticates-non-existent-user-in-ldap

> Active Directory succeeds even if  the user name and password is not passed.
> ----------------------------------------------------------------------------
>
>                 Key: SHIRO-460
>                 URL: https://issues.apache.org/jira/browse/SHIRO-460
>             Project: Shiro
>          Issue Type: Bug
>          Components: Authentication (log-in)
>    Affects Versions: 1.2.2
>         Environment: Windows XP 32-bit; jdk1.7.0_40; maven 3.0.4; glassfish application server 3.1.2.2
>            Reporter: skis
>
> Here below is how my active directory setup looks like in shiro.ini:
> ldapContextFactory = org.apache.shiro.realm.ldap.JndiLdapContextFactory
> ldapContextFactory.url = ldap://abc.internal:389/
> adRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
> adRealm.ldapContextFactory = $ldapContextFactory
> adRealm.searchBase = "CN=Configuration,DC=abc,DC=internal"
> Servlet Code:
> Subject subject = SecurityUtils.getSubject();
> String username = request.getParameter("uid");
> String password = request.getParameter("pwd");
> String rememberMe = request.getParameter("rememberMe");
> Boolean flag = false;
> if (rememberMe != null && rememberMe.equalsIgnoreCase("on")) {
> 		flag = true;
> }
> if (!subject.isAuthenticated()) {
> 	logger.info("Authenticating user: " + request.getParameter("uid"));
> 	UsernamePasswordToken token = new UsernamePasswordToken(username,	password, flag);
> 	try {				
> 		subject.login(token);
> 	} catch (UnknownAccountException e) {
> 		logger.info("Unknown user account...");
> 	} catch (IncorrectCredentialsException e) {
> 		logger.info("Incorrect credentials...");
> 	} catch (DisabledAccountException e) {
> 		logger.info("User account disabled...");
> 	} catch (AuthenticationException e) {
> 		logger.info("Authentication Exception...");
> 	}
> Actions performed in login.jsp,
> 1. With empty username and password field => authentication succeeds - This should not happen
> 2. With empty username and some random password => authentication succeeds - This should not happen
> 3. With non-existent username and some password => authentication fails - This is correct
> 4. With existing username and invalid password => authentication fails - This is correct
> 5. With correct username and password => authentication succeeds - This is correct.
> Please let me know if you were able to reproduce this issue in your environment and what other information would you need.
> FYI, The Ldap and Jdbc Realms are working fine except for the ActiveDirectory realm.
> Thank You



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)