Uploaded image for project: 'Shiro'
  1. Shiro
  2. SHIRO-460

Active Directory succeeds even if the user name and password is not passed.



    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 1.2.2
    • None
    • None
    • Windows XP 32-bit; jdk1.7.0_40; maven 3.0.4; glassfish application server


      Here below is how my active directory setup looks like in shiro.ini:

      ldapContextFactory = org.apache.shiro.realm.ldap.JndiLdapContextFactory
      ldapContextFactory.url = ldap://abc.internal:389/

      adRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
      adRealm.ldapContextFactory = $ldapContextFactory
      adRealm.searchBase = "CN=Configuration,DC=abc,DC=internal"

      Servlet Code:

      Subject subject = SecurityUtils.getSubject();

      String username = request.getParameter("uid");
      String password = request.getParameter("pwd");
      String rememberMe = request.getParameter("rememberMe");
      Boolean flag = false;

      if (rememberMe != null && rememberMe.equalsIgnoreCase("on")) {
      flag = true;

      if (!subject.isAuthenticated()) {
      logger.info("Authenticating user: " + request.getParameter("uid"));
      UsernamePasswordToken token = new UsernamePasswordToken(username, password, flag);


      { subject.login(token); }

      catch (UnknownAccountException e)

      { logger.info("Unknown user account..."); }

      catch (IncorrectCredentialsException e)

      { logger.info("Incorrect credentials..."); }

      catch (DisabledAccountException e)

      { logger.info("User account disabled..."); }

      catch (AuthenticationException e)

      { logger.info("Authentication Exception..."); }

      Actions performed in login.jsp,
      1. With empty username and password field => authentication succeeds - This should not happen
      2. With empty username and some random password => authentication succeeds - This should not happen
      3. With non-existent username and some password => authentication fails - This is correct
      4. With existing username and invalid password => authentication fails - This is correct
      5. With correct username and password => authentication succeeds - This is correct.

      Please let me know if you were able to reproduce this issue in your environment and what other information would you need.

      FYI, The Ldap and Jdbc Realms are working fine except for the ActiveDirectory realm.

      Thank You




            Unassigned Unassigned
            sriharshareddyk skis
            1 Vote for this issue
            3 Start watching this issue