simple SECURITY AUTHENTICATION without username/password yields results

Question

Why does this work?

env.put(Context.PROVIDER_URL, "ldap://localhost:10389/o=csRepository");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
//env.put(Context.SECURITY_PRINCIPAL, "cn=John Eipe, ou=employees, o=csRepository");
//env.put(Context.SECURITY_CREDENTIALS, "qwer1234");

DirContext ctx = new InitialDirContext(env);
//operations on ctx

My understanding is that when SECURITY_AUTHENTICATION is specified as simple and no username or password is specified then it should throw javax.naming.AuthenticationException.

Maybe because credentials were cached? You initially had the code then commented it out right? — Floris, Apr 05 '14 at 12:51
To test my hypothesis - uncomment your authentication lines then change the password so it fails. Comment out again - does it still fail? — Floris, Apr 05 '14 at 12:52
No its the same. btw cached where? I'm running this from psvm code. — John Eipe, Apr 05 '14 at 15:58

score 2 · Accepted Answer · answered Apr 05 '14 at 16:02

Solved. Sadly that's how it works. It's stated as below in Oracle docs.

If you supply an empty string, an empty byte/char array, or null to the Context.SECURITY_CREDENTIALS environment property, then the authentication mechanism will be "none". This is because the LDAP requires the password to be nonempty for simple authentication. The protocol automatically converts the authentication to "none" if a password is not supplied.

This causes serious security breach. But, I guess it is left to the application to validate.

That is indeed a big hole! Thanks for sharing the solution! – Floris Apr 05 '14 at 16:46 — Floris, Apr 05 '14 at 16:46

simple SECURITY AUTHENTICATION without username/password yields results

1 Answers1