You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2002/06/07 18:45:37 UTC

DO NOT REPLY [Bug 9700] New: - JNDIRealm authentication incorrectly succeeds with blank password

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=9700>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=9700

JNDIRealm authentication incorrectly succeeds with blank password

           Summary: JNDIRealm authentication incorrectly succeeds with blank
                    password
           Product: Tomcat 4
           Version: 4.1.3
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Major
          Priority: Other
         Component: Catalina
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: jemiller@uchicago.edu


I found that if you configure Tomcat to use JNDIRealm in the configuration 
where it binds as the remote user to the LDAP server (i.e. if you leave the 
userPassword attribute blank as described under bullet point 4 in the 
JNDIRealm documentation in the Catalina documentation), that it allows users 
to authenticate successfully with a blank password.

I think this is because LDAP considers authentication with a valid DN and a 
blank password an anonymous authentication. i.e. authentication doesn't fail, 
it just logs you in anonymously instead.

So, I'm thinking that JNDIRealm should probably check to make sure that 
password isn't blank and if it is a blank password, it should fail.

I'm using the following configuration in my server.xml.

<Realm className="org.apache.catalina.realm.JNDIRealm"
	debug="99"
	connectionName="cn=Manager, dc=mydomain"
	connectionPassword="mypassword"
	connectionURL="ldap://myldapserver"
	roleBase="ou=roles, dc=mydomain"
	roleName="cn"
	roleSearch="(uniqueMember={0})"
	roleSubtree="false"
	userPattern="uid={0}, ou=People, dc=mydomain"/>

I've tested this with OpenLDAP and iPlanet Directory Server and the behavior 
is the same.

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>