SEC-1117: Unable to use NtlmAwareLdapAuthenticator with LdapAuthenticationProvider due to checking for null password. #1367

spring-issuemaster opened this Issue Mar 10, 2009 · 1 comment


None yet

1 participant


Maciej Skolecki (Migrated from SEC-1117) said:

Currently LdapAuthenticatonProvider checks for empty password in its authenticate() method (lines 225 onward). This does not allow to use NtlmAwareLdapAuthenticator as a delegate for authentication because null password will be always rejected – as is the case when using NTLM authentication – and NtlmAwareLdapAuthenticator never gets called.

Forum thread mentioned above confirms the same problem encountered by another user (see item 2 in the top post)
Also a similiar problem exists with id: SEC-1014.


Luke Taylor said:

I’ve moved the check for the empty password into BindAuthenticator.authenticate(). The check is required because some directories treat an empty password as an anonymous bind and the risk is that a user could authenticate as any valid username to such a directory just by entering an empty password. However it should only be pertinent to bind authentication.

This change should allow the overridden authenticate method in NtlmAwareLdapAuthenticator to succeed, even with an empty password.

@spring-issuemaster spring-issuemaster added this to the 3.0.0 M1 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment