SEC-2500: Prevent anonymous bind for ActiveDirectoryLdapAuthenticator

core/src/main/resources/org/springframework/security/messages.properties

@@ -1,4 +1,5 @@
 AbstractAccessDecisionManager.accessDenied=Access is denied
+AbstractLdapAuthenticationProvider.emptyPassword=Empty Password
 AbstractSecurityInterceptor.authenticationNotFound=An Authentication object was not found in the SecurityContext
 AbstractUserDetailsAuthenticationProvider.badCredentials=Bad credentials
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=User credentials have expired

core/src/main/resources/org/springframework/security/messages_cs_CZ.properties

@@ -1,4 +1,5 @@
 AbstractAccessDecisionManager.accessDenied=P\u0159\u00EDstup odep\u0159en
+AbstractLdapAuthenticationProvider.emptyPassword=\u0160patn\u00E9 p\u0159ihla\u0161ovac\u00ED \u00FAdaje
 AbstractSecurityInterceptor.authenticationNotFound=Nebyl nalezen \u017E\u00E1dn\u00FD Authentication objekt v SecurityContext
 AbstractUserDetailsAuthenticationProvider.badCredentials=\u0160patn\u00E9 p\u0159ihla\u0161ovac\u00ED \u00FAdaje
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=Platnost u\u017Eivatelsk\u00E9ho hesla vypr\u0161ela

core/src/main/resources/org/springframework/security/messages_de.properties

@@ -1,4 +1,5 @@
 AbstractAccessDecisionManager.accessDenied=Zugriff verweigert
+AbstractLdapAuthenticationProvider.emptyPassword=Ung\u00FCltige Benutzerberechtigungen
 AbstractSecurityInterceptor.authenticationNotFound=Im SecurityContext wurde keine Authentifikation gefunden
 AbstractUserDetailsAuthenticationProvider.badCredentials=Ung\u00FCltige Benutzerberechtigungen
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=Die G\u00FCltigkeit der Benutzerberechtigungen ist abgelaufen

core/src/main/resources/org/springframework/security/messages_es_ES.properties

@@ -1,4 +1,5 @@
 AbstractAccessDecisionManager.accessDenied=Acceso denegado
+AbstractLdapAuthenticationProvider.emptyPassword=Credenciales err\u00F3neas
 AbstractSecurityInterceptor.authenticationNotFound=El objeto Authentication no ha sido encontrado en el SecurityContext
 AbstractUserDetailsAuthenticationProvider.badCredentials=Credenciales err\u00F3neas
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=Las credenciales del usuario han expirado

core/src/main/resources/org/springframework/security/messages_fr.properties

@@ -3,6 +3,7 @@
 # Translation by Laurent Pireyn (laurent.pireyn@pisolutions.eu)
 # Translation by Valentin Crettaz (valentin.crettaz@consulthys.com)
 AbstractAccessDecisionManager.accessDenied=Acc\u00E8s refus\u00E9
+AbstractLdapAuthenticationProvider.emptyPassword=Le mot de passe est obligatoire
 AbstractSecurityInterceptor.authenticationNotFound=Aucun objet Authentication n'a \u00E9t\u00E9 trouv\u00E9 dans le SecurityContext
 AbstractUserDetailsAuthenticationProvider.badCredentials=Les cr\u00E9ances sont erron\u00E9es
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=Les cr\u00E9ances de l'utilisateur ont expir\u00E9

core/src/main/resources/org/springframework/security/messages_it.properties

@@ -1,4 +1,5 @@
 AbstractAccessDecisionManager.accessDenied=Accesso negato
+AbstractLdapAuthenticationProvider.badCredentials=Credenziali non valide
 AbstractSecurityInterceptor.authenticationNotFound=Nessuna autenticazione trovata dentro il Security Context
 AbstractUserDetailsAuthenticationProvider.badCredentials=Credenziali non valide
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=Credenziali dell'utente scadute

core/src/main/resources/org/springframework/security/messages_ko_KR.properties

@@ -1,4 +1,5 @@
 AbstractAccessDecisionManager.accessDenied=\uC811\uADFC\uC774 \uAC70\uBD80\uB418\uC5C8\uC2B5\uB2C8\uB2E4.
+AbstractLdapAuthenticationProvider.badCredentials=\uBE44\uBC00\uBC88\uD638\uAC00 \uB9DE\uC9C0 \uC54A\uC2B5\uB2C8\uB2E4.
 AbstractSecurityInterceptor.authenticationNotFound=SecurityContext\uC5D0\uC11C Authentication \uAC1D\uCCB4\uB97C \uCC3E\uC744 \uC218 \uC5C6\uC2B5\uB2C8\uB2E4.
 AbstractUserDetailsAuthenticationProvider.badCredentials=\uBE44\uBC00\uBC88\uD638(credential)\uAC00 \uB9DE\uC9C0 \uC54A\uC2B5\uB2C8\uB2E4.
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=\uBE44\uBC00\uBC88\uD638(credential)\uC758 \uC720\uD6A8 \uAE30\uAC04\uC774 \uB9CC\uB8CC\uB418\uC5C8\uC2B5\uB2C8\uB2E4.

core/src/main/resources/org/springframework/security/messages_lt.properties

@@ -1,4 +1,5 @@
 AbstractAccessDecisionManager.accessDenied=Pri\u0117jimas neleid\u017eiamas
+AbstractLdapAuthenticationProvider.emptyPassword=Tu\u0161\u010dias slapta\u017eodis
 AbstractSecurityInterceptor.authenticationNotFound=Authentication objektas nerastas SecurityContext kontekste
 AbstractUserDetailsAuthenticationProvider.badCredentials=Blogi kredencialai
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=Pasibaig\u0117 vartotojo kredencial\u0173 galiojimas

core/src/main/resources/org/springframework/security/messages_pl.properties

@@ -1,4 +1,5 @@
 AbstractAccessDecisionManager.accessDenied=Dost\u0119p zabroniony
+AbstractLdapAuthenticationProvider.emptyPassword=Niepoprawne dane uwierzytelniaj\u0105ce
 AbstractSecurityInterceptor.authenticationNotFound=Obiekt Authentication nie zosta\u0142 odnaleziony w SecurityContext
 AbstractUserDetailsAuthenticationProvider.badCredentials=Niepoprawne dane uwierzytelniaj\u0105ce
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=Wa\u017Cno\u015B\u0107 danych uwierzytelniaj\u0105cych wygas\u0142a

core/src/main/resources/org/springframework/security/messages_pt_BR.properties

@@ -2,6 +2,7 @@
 # Messages in Brazilian Portuguese
 # Translation by Leonardo Pinto (leoviveiros@gmail.com)
 AbstractAccessDecisionManager.accessDenied=Acesso negado
+AbstractLdapAuthenticationProvider.emptyPassword=Usu\u00E1rio inexistente ou senha inv\u00E1lida
 AbstractSecurityInterceptor.authenticationNotFound=Um objeto de autentica\u00E7\u00E3o n\u00E3o foi encontrado no SecurityContext
 AbstractUserDetailsAuthenticationProvider.badCredentials=Usu\u00E1rio inexistente ou senha inv\u00E1lida
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=Credenciais expiradas

core/src/main/resources/org/springframework/security/messages_pt_PT.properties

@@ -1,6 +1,7 @@
 # Spring Security Portuguese Resource Bundle
 # Author: José Santos
 AbstractAccessDecisionManager.accessDenied=Acesso negado
+AbstractLdapAuthenticationProvider.emptyPassword=Credenciais inv\u00E1lidas
 AbstractSecurityInterceptor.authenticationNotFound=Objecto Authentication n\u00E3o encontrado em SecurityContext
 AbstractUserDetailsAuthenticationProvider.badCredentials=Credenciais inv\u00E1lidas
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=As credenciais do utilizador expiraram

core/src/main/resources/org/springframework/security/messages_uk_UA.properties

@@ -1,4 +1,5 @@
 AbstractAccessDecisionManager.accessDenied=\u0414\u043E\u0441\u0442\u0443\u043F \u0437\u0430\u0431\u043E\u0440\u043E\u043D\u0435\u043D\u0438\u0439
+AbstractLdapAuthenticationProvider.emptyPassword=\u0414\u0430\u043D\u0456 \u043A\u043E\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0430 \u043D\u0435\u043A\u043E\u0440\u0435\u043A\u0442\u043D\u0456
 AbstractSecurityInterceptor.authenticationNotFound=\u041E\u0431'\u0454\u043A\u0442 Authentication \u043D\u0435 \u0437\u043D\u0430\u0439\u0434\u0435\u043D\u0438\u0439 \u0432 SecurityContext
 AbstractUserDetailsAuthenticationProvider.badCredentials=\u0414\u0430\u043D\u0456 \u043A\u043E\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0430 \u043D\u0435\u043A\u043E\u0440\u0435\u043A\u0442\u043D\u0456
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=\u041F\u043E\u0432\u043D\u043E\u0432\u0430\u0436\u0435\u043D\u043D\u044F \u043A\u043E\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0430 \u0432\u0438\u0447\u0435\u0440\u043F\u0430\u043B\u0438 \u0442\u0435\u0440\u043C\u0456\u043D \u0434\u0456\u0457

core/src/main/resources/org/springframework/security/messages_zh_CN.properties

@@ -1,4 +1,5 @@
 AbstractAccessDecisionManager.accessDenied=\u4E0D\u5141\u8BB8\u8BBF\u95EE
+AbstractLdapAuthenticationProvider.emptyPassword=\u574F\u7684\u51ED\u8BC1
 AbstractSecurityInterceptor.authenticationNotFound=\u672A\u5728SecurityContext\u4E2D\u67E5\u627E\u5230\u8BA4\u8BC1\u5BF9\u8C61
 AbstractUserDetailsAuthenticationProvider.badCredentials=\u574F\u7684\u51ED\u8BC1
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=\u7528\u6237\u51ED\u8BC1\u5DF2\u8FC7\u671F

ldap/src/main/java/org/springframework/security/ldap/authentication/AbstractLdapAuthenticationProvider.java

@@ -1,4 +1,18 @@
-package org.springframework.security.ldap.authentication;
+/*
+ * Copyright 2002-2014 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */package org.springframework.security.ldap.authentication;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -56,6 +70,11 @@ public abstract class AbstractLdapAuthenticationProvider implements Authenticati
                     "Empty Username"));
         }
 
+        if (!StringUtils.hasLength(password)) {
+            throw new BadCredentialsException(messages.getMessage("AbstractLdapAuthenticationProvider.emptyPassword",
+                    "Empty Password"));
+        }
+
         Assert.notNull(password, "Null password was supplied in authentication token");
 
         DirContextOperations userData = doAuthentication(userToken);

ldap/src/test/java/org/springframework/security/ldap/authentication/ad/ActiveDirectoryLdapAuthenticationProviderTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2012 the original author or authors.
+ * Copyright 2002-2014 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
@@ -141,6 +141,12 @@ public class ActiveDirectoryLdapAuthenticationProviderTests {
         provider.authenticate(joe);
     }
 
+    // SEC-2500
+    @Test(expected = BadCredentialsException.class)
+    public void sec2500PreventAnonymousBind() {
+        provider.authenticate(new UsernamePasswordAuthenticationToken("rwinch", ""));
+    }
+
     @SuppressWarnings("unchecked")
     @Test(expected = IncorrectResultSizeDataAccessException.class)
     public void duplicateUserSearchCausesError() throws Exception {