Uploaded image for project: 'Shiro'
  1. Shiro
  2. SHIRO-460

Active Directory succeeds even if the user name and password is not passed.

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 1.2.2
    • Fix Version/s: None
    • Labels:
      None
    • Environment:
      Windows XP 32-bit; jdk1.7.0_40; maven 3.0.4; glassfish application server 3.1.2.2

      Description

      Here below is how my active directory setup looks like in shiro.ini:

      ldapContextFactory = org.apache.shiro.realm.ldap.JndiLdapContextFactory
      ldapContextFactory.url = ldap://abc.internal:389/

      adRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
      adRealm.ldapContextFactory = $ldapContextFactory
      adRealm.searchBase = "CN=Configuration,DC=abc,DC=internal"

      Servlet Code:

      Subject subject = SecurityUtils.getSubject();

      String username = request.getParameter("uid");
      String password = request.getParameter("pwd");
      String rememberMe = request.getParameter("rememberMe");
      Boolean flag = false;

      if (rememberMe != null && rememberMe.equalsIgnoreCase("on")) {
      flag = true;
      }

      if (!subject.isAuthenticated()) {
      logger.info("Authenticating user: " + request.getParameter("uid"));
      UsernamePasswordToken token = new UsernamePasswordToken(username, password, flag);

      try

      { subject.login(token); }

      catch (UnknownAccountException e)

      { logger.info("Unknown user account..."); }

      catch (IncorrectCredentialsException e)

      { logger.info("Incorrect credentials..."); }

      catch (DisabledAccountException e)

      { logger.info("User account disabled..."); }

      catch (AuthenticationException e)

      { logger.info("Authentication Exception..."); }

      Actions performed in login.jsp,
      1. With empty username and password field => authentication succeeds - This should not happen
      2. With empty username and some random password => authentication succeeds - This should not happen
      3. With non-existent username and some password => authentication fails - This is correct
      4. With existing username and invalid password => authentication fails - This is correct
      5. With correct username and password => authentication succeeds - This is correct.

      Please let me know if you were able to reproduce this issue in your environment and what other information would you need.

      FYI, The Ldap and Jdbc Realms are working fine except for the ActiveDirectory realm.

      Thank You

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              sriharshareddyk skis
            • Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: