From 7dbb8e777ece8675f3333a1ef1cb4d6b9be80395 Mon Sep 17 00:00:00 2001 From: Rob Winch Date: Tue, 4 Mar 2014 13:48:36 -0600 Subject: [PATCH] SEC-2500: Prevent anonymous bind for ActiveDirectoryLdapAuthenticator --- .../security/messages.properties | 1 + .../security/messages_cs_CZ.properties | 1 + .../security/messages_de.properties | 1 + .../security/messages_es_ES.properties | 1 + .../security/messages_fr.properties | 1 + .../security/messages_it.properties | 1 + .../security/messages_ko_KR.properties | 1 + .../security/messages_lt.properties | 1 + .../security/messages_pl.properties | 1 + .../security/messages_pt_BR.properties | 1 + .../security/messages_pt_PT.properties | 1 + .../security/messages_uk_UA.properties | 1 + .../security/messages_zh_CN.properties | 1 + .../AbstractLdapAuthenticationProvider.java | 21 ++++++++++++++++++- ...ectoryLdapAuthenticationProviderTests.java | 8 ++++++- 15 files changed, 40 insertions(+), 2 deletions(-) diff --git a/core/src/main/resources/org/springframework/security/messages.properties b/core/src/main/resources/org/springframework/security/messages.properties index 9490238f14c..5eb82ed6fcb 100644 --- a/core/src/main/resources/org/springframework/security/messages.properties +++ b/core/src/main/resources/org/springframework/security/messages.properties @@ -1,4 +1,5 @@ AbstractAccessDecisionManager.accessDenied=Access is denied +AbstractLdapAuthenticationProvider.emptyPassword=Empty Password AbstractSecurityInterceptor.authenticationNotFound=An Authentication object was not found in the SecurityContext AbstractUserDetailsAuthenticationProvider.badCredentials=Bad credentials AbstractUserDetailsAuthenticationProvider.credentialsExpired=User credentials have expired diff --git a/core/src/main/resources/org/springframework/security/messages_cs_CZ.properties b/core/src/main/resources/org/springframework/security/messages_cs_CZ.properties index 08a5c73322c..b2fb49e072b 100644 --- a/core/src/main/resources/org/springframework/security/messages_cs_CZ.properties +++ b/core/src/main/resources/org/springframework/security/messages_cs_CZ.properties @@ -1,4 +1,5 @@ AbstractAccessDecisionManager.accessDenied=P\u0159\u00EDstup odep\u0159en +AbstractLdapAuthenticationProvider.emptyPassword=\u0160patn\u00E9 p\u0159ihla\u0161ovac\u00ED \u00FAdaje AbstractSecurityInterceptor.authenticationNotFound=Nebyl nalezen \u017E\u00E1dn\u00FD Authentication objekt v SecurityContext AbstractUserDetailsAuthenticationProvider.badCredentials=\u0160patn\u00E9 p\u0159ihla\u0161ovac\u00ED \u00FAdaje AbstractUserDetailsAuthenticationProvider.credentialsExpired=Platnost u\u017Eivatelsk\u00E9ho hesla vypr\u0161ela diff --git a/core/src/main/resources/org/springframework/security/messages_de.properties b/core/src/main/resources/org/springframework/security/messages_de.properties index 16942a6f657..7b09e590608 100644 --- a/core/src/main/resources/org/springframework/security/messages_de.properties +++ b/core/src/main/resources/org/springframework/security/messages_de.properties @@ -1,4 +1,5 @@ AbstractAccessDecisionManager.accessDenied=Zugriff verweigert +AbstractLdapAuthenticationProvider.emptyPassword=Ung\u00FCltige Benutzerberechtigungen AbstractSecurityInterceptor.authenticationNotFound=Im SecurityContext wurde keine Authentifikation gefunden AbstractUserDetailsAuthenticationProvider.badCredentials=Ung\u00FCltige Benutzerberechtigungen AbstractUserDetailsAuthenticationProvider.credentialsExpired=Die G\u00FCltigkeit der Benutzerberechtigungen ist abgelaufen diff --git a/core/src/main/resources/org/springframework/security/messages_es_ES.properties b/core/src/main/resources/org/springframework/security/messages_es_ES.properties index f9f2e6b4cde..b68584ada82 100644 --- a/core/src/main/resources/org/springframework/security/messages_es_ES.properties +++ b/core/src/main/resources/org/springframework/security/messages_es_ES.properties @@ -1,4 +1,5 @@ AbstractAccessDecisionManager.accessDenied=Acceso denegado +AbstractLdapAuthenticationProvider.emptyPassword=Credenciales err\u00F3neas AbstractSecurityInterceptor.authenticationNotFound=El objeto Authentication no ha sido encontrado en el SecurityContext AbstractUserDetailsAuthenticationProvider.badCredentials=Credenciales err\u00F3neas AbstractUserDetailsAuthenticationProvider.credentialsExpired=Las credenciales del usuario han expirado diff --git a/core/src/main/resources/org/springframework/security/messages_fr.properties b/core/src/main/resources/org/springframework/security/messages_fr.properties index d4d7049d139..a5b01c7b5ad 100644 --- a/core/src/main/resources/org/springframework/security/messages_fr.properties +++ b/core/src/main/resources/org/springframework/security/messages_fr.properties @@ -3,6 +3,7 @@ # Translation by Laurent Pireyn (laurent.pireyn@pisolutions.eu) # Translation by Valentin Crettaz (valentin.crettaz@consulthys.com) AbstractAccessDecisionManager.accessDenied=Acc\u00E8s refus\u00E9 +AbstractLdapAuthenticationProvider.emptyPassword=Le mot de passe est obligatoire AbstractSecurityInterceptor.authenticationNotFound=Aucun objet Authentication n'a \u00E9t\u00E9 trouv\u00E9 dans le SecurityContext AbstractUserDetailsAuthenticationProvider.badCredentials=Les identifications sont erron\u00E9es AbstractUserDetailsAuthenticationProvider.credentialsExpired=Les identifications de l'utilisateur ont expir\u00E9 diff --git a/core/src/main/resources/org/springframework/security/messages_it.properties b/core/src/main/resources/org/springframework/security/messages_it.properties index bcd3b5048aa..d82d0c27124 100644 --- a/core/src/main/resources/org/springframework/security/messages_it.properties +++ b/core/src/main/resources/org/springframework/security/messages_it.properties @@ -1,4 +1,5 @@ AbstractAccessDecisionManager.accessDenied=Accesso negato +AbstractLdapAuthenticationProvider.badCredentials=Credenziali non valide AbstractSecurityInterceptor.authenticationNotFound=Nessuna autenticazione trovata dentro il Security Context AbstractUserDetailsAuthenticationProvider.badCredentials=Credenziali non valide AbstractUserDetailsAuthenticationProvider.credentialsExpired=Credenziali dell'utente scadute diff --git a/core/src/main/resources/org/springframework/security/messages_ko_KR.properties b/core/src/main/resources/org/springframework/security/messages_ko_KR.properties index ef23bbbe0e2..95e028b3366 100644 --- a/core/src/main/resources/org/springframework/security/messages_ko_KR.properties +++ b/core/src/main/resources/org/springframework/security/messages_ko_KR.properties @@ -1,4 +1,5 @@ AbstractAccessDecisionManager.accessDenied=\uC811\uADFC\uC774 \uAC70\uBD80\uB418\uC5C8\uC2B5\uB2C8\uB2E4. +AbstractLdapAuthenticationProvider.badCredentials=\uBE44\uBC00\uBC88\uD638\uAC00 \uB9DE\uC9C0 \uC54A\uC2B5\uB2C8\uB2E4. AbstractSecurityInterceptor.authenticationNotFound=SecurityContext\uC5D0\uC11C Authentication \uAC1D\uCCB4\uB97C \uCC3E\uC744 \uC218 \uC5C6\uC2B5\uB2C8\uB2E4. AbstractUserDetailsAuthenticationProvider.badCredentials=\uBE44\uBC00\uBC88\uD638(credential)\uAC00 \uB9DE\uC9C0 \uC54A\uC2B5\uB2C8\uB2E4. AbstractUserDetailsAuthenticationProvider.credentialsExpired=\uBE44\uBC00\uBC88\uD638(credential)\uC758 \uC720\uD6A8 \uAE30\uAC04\uC774 \uB9CC\uB8CC\uB418\uC5C8\uC2B5\uB2C8\uB2E4. diff --git a/core/src/main/resources/org/springframework/security/messages_lt.properties b/core/src/main/resources/org/springframework/security/messages_lt.properties index e21f3959e76..47084e3db66 100644 --- a/core/src/main/resources/org/springframework/security/messages_lt.properties +++ b/core/src/main/resources/org/springframework/security/messages_lt.properties @@ -1,4 +1,5 @@ AbstractAccessDecisionManager.accessDenied=Pri\u0117jimas neleid\u017eiamas +AbstractLdapAuthenticationProvider.emptyPassword=Tu\u0161\u010dias slapta\u017eodis AbstractSecurityInterceptor.authenticationNotFound=Authentication objektas nerastas SecurityContext kontekste AbstractUserDetailsAuthenticationProvider.badCredentials=Blogi kredencialai AbstractUserDetailsAuthenticationProvider.credentialsExpired=Pasibaig\u0117 vartotojo kredencial\u0173 galiojimas diff --git a/core/src/main/resources/org/springframework/security/messages_pl.properties b/core/src/main/resources/org/springframework/security/messages_pl.properties index 8c225b3ef2f..c4006b8529a 100644 --- a/core/src/main/resources/org/springframework/security/messages_pl.properties +++ b/core/src/main/resources/org/springframework/security/messages_pl.properties @@ -1,4 +1,5 @@ AbstractAccessDecisionManager.accessDenied=Dost\u0119p zabroniony +AbstractLdapAuthenticationProvider.emptyPassword=Niepoprawne dane uwierzytelniaj\u0105ce AbstractSecurityInterceptor.authenticationNotFound=Obiekt Authentication nie zosta\u0142 odnaleziony w SecurityContext AbstractUserDetailsAuthenticationProvider.badCredentials=Niepoprawne dane uwierzytelniaj\u0105ce AbstractUserDetailsAuthenticationProvider.credentialsExpired=Wa\u017Cno\u015B\u0107 danych uwierzytelniaj\u0105cych wygas\u0142a diff --git a/core/src/main/resources/org/springframework/security/messages_pt_BR.properties b/core/src/main/resources/org/springframework/security/messages_pt_BR.properties index 36615cce23f..fc56cf855f2 100644 --- a/core/src/main/resources/org/springframework/security/messages_pt_BR.properties +++ b/core/src/main/resources/org/springframework/security/messages_pt_BR.properties @@ -2,6 +2,7 @@ # Messages in Brazilian Portuguese # Translation by Leonardo Pinto (leoviveiros@gmail.com) AbstractAccessDecisionManager.accessDenied=Acesso negado +AbstractLdapAuthenticationProvider.emptyPassword=Usu\u00E1rio inexistente ou senha inv\u00E1lida AbstractSecurityInterceptor.authenticationNotFound=Um objeto de autentica\u00E7\u00E3o n\u00E3o foi encontrado no SecurityContext AbstractUserDetailsAuthenticationProvider.badCredentials=Usu\u00E1rio inexistente ou senha inv\u00E1lida AbstractUserDetailsAuthenticationProvider.credentialsExpired=Credenciais expiradas diff --git a/core/src/main/resources/org/springframework/security/messages_pt_PT.properties b/core/src/main/resources/org/springframework/security/messages_pt_PT.properties index 999a1213c44..47efd67718a 100644 --- a/core/src/main/resources/org/springframework/security/messages_pt_PT.properties +++ b/core/src/main/resources/org/springframework/security/messages_pt_PT.properties @@ -1,6 +1,7 @@ # Spring Security Portuguese Resource Bundle # Author: José Santos AbstractAccessDecisionManager.accessDenied=Acesso negado +AbstractLdapAuthenticationProvider.emptyPassword=Credenciais inv\u00E1lidas AbstractSecurityInterceptor.authenticationNotFound=Objecto Authentication n\u00E3o encontrado em SecurityContext AbstractUserDetailsAuthenticationProvider.badCredentials=Credenciais inv\u00E1lidas AbstractUserDetailsAuthenticationProvider.credentialsExpired=As credenciais do utilizador expiraram diff --git a/core/src/main/resources/org/springframework/security/messages_uk_UA.properties b/core/src/main/resources/org/springframework/security/messages_uk_UA.properties index 9adddee2b17..11b5e38aae3 100644 --- a/core/src/main/resources/org/springframework/security/messages_uk_UA.properties +++ b/core/src/main/resources/org/springframework/security/messages_uk_UA.properties @@ -1,4 +1,5 @@ AbstractAccessDecisionManager.accessDenied=\u0414\u043E\u0441\u0442\u0443\u043F \u0437\u0430\u0431\u043E\u0440\u043E\u043D\u0435\u043D\u0438\u0439 +AbstractLdapAuthenticationProvider.emptyPassword=\u0414\u0430\u043D\u0456 \u043A\u043E\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0430 \u043D\u0435\u043A\u043E\u0440\u0435\u043A\u0442\u043D\u0456 AbstractSecurityInterceptor.authenticationNotFound=\u041E\u0431'\u0454\u043A\u0442 Authentication \u043D\u0435 \u0437\u043D\u0430\u0439\u0434\u0435\u043D\u0438\u0439 \u0432 SecurityContext AbstractUserDetailsAuthenticationProvider.badCredentials=\u0414\u0430\u043D\u0456 \u043A\u043E\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0430 \u043D\u0435\u043A\u043E\u0440\u0435\u043A\u0442\u043D\u0456 AbstractUserDetailsAuthenticationProvider.credentialsExpired=\u041F\u043E\u0432\u043D\u043E\u0432\u0430\u0436\u0435\u043D\u043D\u044F \u043A\u043E\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0430 \u0432\u0438\u0447\u0435\u0440\u043F\u0430\u043B\u0438 \u0442\u0435\u0440\u043C\u0456\u043D \u0434\u0456\u0457 diff --git a/core/src/main/resources/org/springframework/security/messages_zh_CN.properties b/core/src/main/resources/org/springframework/security/messages_zh_CN.properties index 778d13ce08f..ad7f003be85 100644 --- a/core/src/main/resources/org/springframework/security/messages_zh_CN.properties +++ b/core/src/main/resources/org/springframework/security/messages_zh_CN.properties @@ -1,4 +1,5 @@ AbstractAccessDecisionManager.accessDenied=\u4E0D\u5141\u8BB8\u8BBF\u95EE +AbstractLdapAuthenticationProvider.emptyPassword=\u574F\u7684\u51ED\u8BC1 AbstractSecurityInterceptor.authenticationNotFound=\u672A\u5728SecurityContext\u4E2D\u67E5\u627E\u5230\u8BA4\u8BC1\u5BF9\u8C61 AbstractUserDetailsAuthenticationProvider.badCredentials=\u574F\u7684\u51ED\u8BC1 AbstractUserDetailsAuthenticationProvider.credentialsExpired=\u7528\u6237\u51ED\u8BC1\u5DF2\u8FC7\u671F diff --git a/ldap/src/main/java/org/springframework/security/ldap/authentication/AbstractLdapAuthenticationProvider.java b/ldap/src/main/java/org/springframework/security/ldap/authentication/AbstractLdapAuthenticationProvider.java index 65d7d5425be..f5aff4fa41c 100644 --- a/ldap/src/main/java/org/springframework/security/ldap/authentication/AbstractLdapAuthenticationProvider.java +++ b/ldap/src/main/java/org/springframework/security/ldap/authentication/AbstractLdapAuthenticationProvider.java @@ -1,4 +1,18 @@ -package org.springframework.security.ldap.authentication; +/* + * Copyright 2002-2014 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */package org.springframework.security.ldap.authentication; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -56,6 +70,11 @@ public Authentication authenticate(Authentication authentication) throws Authent "Empty Username")); } + if (!StringUtils.hasLength(password)) { + throw new BadCredentialsException(messages.getMessage("AbstractLdapAuthenticationProvider.emptyPassword", + "Empty Password")); + } + Assert.notNull(password, "Null password was supplied in authentication token"); DirContextOperations userData = doAuthentication(userToken); diff --git a/ldap/src/test/java/org/springframework/security/ldap/authentication/ad/ActiveDirectoryLdapAuthenticationProviderTests.java b/ldap/src/test/java/org/springframework/security/ldap/authentication/ad/ActiveDirectoryLdapAuthenticationProviderTests.java index d3c31378144..d90d1139c8c 100644 --- a/ldap/src/test/java/org/springframework/security/ldap/authentication/ad/ActiveDirectoryLdapAuthenticationProviderTests.java +++ b/ldap/src/test/java/org/springframework/security/ldap/authentication/ad/ActiveDirectoryLdapAuthenticationProviderTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2012 the original author or authors. + * Copyright 2002-2014 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with * the License. You may obtain a copy of the License at @@ -143,6 +143,12 @@ public void noUserSearchCausesUsernameNotFound() throws Exception { provider.authenticate(joe); } + // SEC-2500 + @Test(expected = BadCredentialsException.class) + public void sec2500PreventAnonymousBind() { + provider.authenticate(new UsernamePasswordAuthenticationToken("rwinch", "")); + } + @SuppressWarnings("unchecked") @Test(expected = IncorrectResultSizeDataAccessException.class) public void duplicateUserSearchCausesError() throws Exception {