Sonar

Prevent successful authentication with blank password

Details

  • Patch Submitted:
    Yes
  • Number of attachments :
    1

Description

On many LDAP systems allowing anonymous binding, when a DN binds with a blank password, it will be considered as an anonymous bind and will end up as a successful authentication.

To prevent this, just add a config line :

# (advanced option) Prevent blank password.
# Default is false.
ldap.preventBlankPwd: true

Which would be used in authenticate() method:

Boolean checkBlankPwd = (ldapContextFactory.getPreventBlankPwd())?((StringUtils.isNotBlank(password))?true:false):true;
...
return StringUtils.isNotBlank(principal) && checkBlankPwd && checkPasswordUsingBind(principal, password);

Issue Links

is related to

Bug - A problem which impairs or prevents the functions of the product. SONAR-3968 Sonar should not allow any login with a blank password even when this authentication depends on an external system like LDAP

  • Major - Major loss of function.
  • Closed - The issue is considered finished, the resolution is correct. Issues which are not closed can be reopened.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Evgeny Mandrikov added a comment -

Hi,

Your patch increases complexity of code, so I suppose that it can be refactored.
Also could you please describe: why we need new option for such case? Why not just block empty passwords?

Show
Evgeny Mandrikov added a comment - Hi, Your patch increases complexity of code, so I suppose that it can be refactored. Also could you please describe: why we need new option for such case? Why not just block empty passwords?
Hide
Permalink
Thomas Maurel added a comment -

Well, i was just thinking some people might need this anonymous authentication behaviour, but you must be right, blocking blank password would probably be sufficient, and decrease complexity.

Show
Thomas Maurel added a comment - Well, i was just thinking some people might need this anonymous authentication behaviour, but you must be right, blocking blank password would probably be sufficient, and decrease complexity.
Hide
Permalink
Evgeny Mandrikov added a comment -

In order to get same functionality for other security plugins we decided to move this issue to Sonar core.

Show
Evgeny Mandrikov added a comment - In order to get same functionality for other security plugins we decided to move this issue to Sonar core.
Hide
Permalink
Simon Brandhof added a comment -

Thank you Thomas for the patch, but the issue is going to be fixed directly in the core, not in authentication plugins. Blank passwords will be always refused, without any configuration option. I allow myself to rename the title.

Show
Simon Brandhof added a comment - Thank you Thomas for the patch, but the issue is going to be fixed directly in the core, not in authentication plugins. Blank passwords will be always refused, without any configuration option. I allow myself to rename the title.

People

  • Assignee:
    Simon Brandhof
    Reporter:
    Thomas Maurel
Vote (0)
Watch (1)

Dates

  • Created:
    Updated:
    Resolved: