Página inicial Explorar Ajuda
Registrar Entrar
github
/
spring-security
mirror de https://github.com/spring-projects/spring-security
2
0
Fork 0
Arquivos Issues 0 Wiki
Ver código fonte

Fix for SEC-237. Make LDAP Provider reject empty username.

Luke Taylor 19 anos atrás
pai
743cc9fec7
commit
9c8a4c2f74
2 arquivos alterados com 10 adições e 0 exclusões
Visão dividida Mostrar estatísticas do Diff
  1. 8 0
      core/src/main/java/org/acegisecurity/providers/ldap/LdapAuthenticationProvider.java
  2. 2 0
      core/src/main/resources/org/acegisecurity/messages.properties

+ 8 - 0
core/src/main/java/org/acegisecurity/providers/ldap/LdapAuthenticationProvider.java
Ver arquivo 

@@ -21,11 +21,13 @@ import org.acegisecurity.ldap.LdapUserInfo;
 
 import org.acegisecurity.userdetails.UserDetails;
 
 import org.acegisecurity.userdetails.User;
 
 import org.acegisecurity.AuthenticationException;
 
+import org.acegisecurity.BadCredentialsException;
 
 
 import org.apache.commons.logging.Log;
 
 import org.apache.commons.logging.LogFactory;
 
 
 import org.springframework.util.Assert;
 
+import org.springframework.util.StringUtils;
 
 
 import javax.naming.directory.Attributes;
 
 
@@ -141,6 +143,12 @@ public class LdapAuthenticationProvider extends AbstractUserDetailsAuthenticatio
 
     }
 
 
     protected UserDetails retrieveUser(String username, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException {
 
+        if(!StringUtils.hasLength(username)) {
 
+            throw new BadCredentialsException(messages.getMessage(
 
+                "LdapAuthenticationProvider.emptyUsername",
 
+                "Empty Username"));
 
+        }
 
+
 
         if (logger.isDebugEnabled()) {
 
             logger.debug("Retrieving user " + username);
 
         }

+ 2 - 0
core/src/main/resources/org/acegisecurity/messages.properties
Ver arquivo 

@@ -37,9 +37,11 @@ SwitchUserProcessingFilter.disabled=User is disabled
 
 SwitchUserProcessingFilter.expired=User account has expired
 
 SwitchUserProcessingFilter.credentialsExpired=User credentials have expired
 
 AbstractAccessDecisionManager.accessDenied=Access is denied
 
+LdapAuthenticationProvider.emptyUsername=Empty username not allowed
 
 DefaultIntitalDirContextFactory.communicationFailure=Unable to connect to LDAP server
 
 DefaultIntitalDirContextFactory.badCredentials=Bad credentials
 
 DefaultIntitalDirContextFactory.unexpectedException=Failed to obtain InitialDirContext due to unexpected exception
 
 PasswordComparisonAuthenticator.badCredentials=Bad credentials
 
 BindAuthenticator.badCredentials=Bad credentials
 
 BindAuthenticator.failedToLoadAttributes=Bad credentials
 
+