karaf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From gno...@apache.org
Subject git commit: [KARAF-3119] Do not allow empty passwords by default for ldap
Date Wed, 16 Jul 2014 12:31:10 GMT
Repository: karaf
Updated Branches:
  refs/heads/karaf-2.x c584e5100 -> 2ac1d5a1d


[KARAF-3119] Do not allow empty passwords by default for ldap


Project: http://git-wip-us.apache.org/repos/asf/karaf/repo
Commit: http://git-wip-us.apache.org/repos/asf/karaf/commit/2ac1d5a1
Tree: http://git-wip-us.apache.org/repos/asf/karaf/tree/2ac1d5a1
Diff: http://git-wip-us.apache.org/repos/asf/karaf/diff/2ac1d5a1

Branch: refs/heads/karaf-2.x
Commit: 2ac1d5a1d193b5ec807c8c1755602f7fb0e6c5e1
Parents: c584e51
Author: Guillaume Nodet <gnodet@gmail.com>
Authored: Wed Jul 16 14:30:11 2014 +0200
Committer: Guillaume Nodet <gnodet@gmail.com>
Committed: Wed Jul 16 14:30:49 2014 +0200

----------------------------------------------------------------------
 .../jaas/modules/ldap/LDAPLoginModule.java      |  9 +++++-
 .../jaas/modules/ldap/LdapLoginModuleTest.java  | 29 ++++++++++++++++++++
 2 files changed, 37 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/karaf/blob/2ac1d5a1/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java
----------------------------------------------------------------------
diff --git a/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java
b/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java
index 2c587a8..a5ae1ea 100644
--- a/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java
+++ b/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java
@@ -58,6 +58,7 @@ public class LDAPLoginModule extends AbstractKarafLoginModule {
     public final static String ROLE_NAME_ATTRIBUTE = "role.name.attribute";
     public final static String ROLE_SEARCH_SUBTREE = "role.search.subtree";
     public final static String AUTHENTICATION = "authentication";
+    public final static String ALLOW_EMPTY_PASSWORDS = "allowEmptyPasswords";
     public final static String INITIAL_CONTEXT_FACTORY = "initial.context.factory";
     public final static String SSL = "ssl";
     public final static String SSL_PROVIDER = "ssl.provider";
@@ -81,6 +82,7 @@ public class LDAPLoginModule extends AbstractKarafLoginModule {
     private String roleNameAttribute;
     private boolean roleSearchSubtree = true;
     private String authentication = DEFAULT_AUTHENTICATION;
+    private boolean allowEmptyPasswords = false;
     private String initialContextFactory = null;
     private boolean ssl;
     private String sslProvider;
@@ -111,6 +113,7 @@ public class LDAPLoginModule extends AbstractKarafLoginModule {
         if (authentication == null) {
             authentication = DEFAULT_AUTHENTICATION;
         }
+        allowEmptyPasswords = Boolean.parseBoolean((String) options.get(ALLOW_EMPTY_PASSWORDS));
         if (connectionURL == null || connectionURL.trim().length() == 0) {
             logger.error("No LDAP URL specified.");
         } else if (!connectionURL.startsWith("ldap:") && !connectionURL.startsWith("ldaps:"))
{
@@ -168,7 +171,11 @@ public class LDAPLoginModule extends AbstractKarafLoginModule {
             // default to simple so that the provided user/password will get checked
             authentication = "simple";
         }
-        
+        if (!"none".equals(authentication) && !allowEmptyPasswords
+                && (tmpPassword == null || tmpPassword.length ==0)) {
+            throw new LoginException("Empty passwords not allowed");
+        }
+
         if (tmpPassword == null) {
             tmpPassword = new char[0];
         }

http://git-wip-us.apache.org/repos/asf/karaf/blob/2ac1d5a1/jaas/modules/src/test/java/org/apache/karaf/jaas/modules/ldap/LdapLoginModuleTest.java
----------------------------------------------------------------------
diff --git a/jaas/modules/src/test/java/org/apache/karaf/jaas/modules/ldap/LdapLoginModuleTest.java
b/jaas/modules/src/test/java/org/apache/karaf/jaas/modules/ldap/LdapLoginModuleTest.java
index 01135b0..faf0340 100644
--- a/jaas/modules/src/test/java/org/apache/karaf/jaas/modules/ldap/LdapLoginModuleTest.java
+++ b/jaas/modules/src/test/java/org/apache/karaf/jaas/modules/ldap/LdapLoginModuleTest.java
@@ -31,6 +31,7 @@ import org.junit.runner.RunWith;
 
 import javax.security.auth.Subject;
 import javax.security.auth.callback.*;
+import javax.security.auth.login.LoginException;
 
 import java.io.File;
 import java.io.IOException;
@@ -38,6 +39,7 @@ import java.security.Principal;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
 
 
 @RunWith ( FrameworkRunner.class )
@@ -181,5 +183,32 @@ public class LdapLoginModuleTest extends AbstractLdapTestUnit {
         assertEquals("Precondition", 0, subject.getPrincipals().size());
         assertFalse(module.login());
     }
+
+    @Test
+    public void testEmptyPassword() throws Exception {
+        Properties options = ldapLoginModuleOptions();
+        LDAPLoginModule module = new LDAPLoginModule();
+        CallbackHandler cb = new CallbackHandler() {
+            public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException
{
+                for (Callback cb : callbacks) {
+                    if (cb instanceof NameCallback) {
+                        ((NameCallback) cb).setName("imnothere");
+                    } else if (cb instanceof PasswordCallback) {
+                        ((PasswordCallback) cb).setPassword("".toCharArray());
+                    }
+                }
+            }
+        };
+        Subject subject = new Subject();
+        module.initialize(subject, cb, null, options);
+
+        assertEquals("Precondition", 0, subject.getPrincipals().size());
+        try {
+            module.login();
+            fail("Should have failed");
+        } catch (LoginException e) {
+            assertTrue(e.getMessage().equals("Empty passwords not allowed"));
+        }
+    }
 }
             
\ No newline at end of file


Mime
View raw message