Spring security LDAP check empty password

Question

I use LDAP authentication in my app. I use this code:

@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
    String domain = customProperties.getAdDomain();
    String url = customProperties.getAdUrl();
    ActiveDirectoryLdapAuthenticationProvider provider = new ActiveDirectoryLdapAuthenticationProvider(domain,url);
    provider.setConvertSubErrorCodesToExceptions(true);
    provider.setUseAuthenticationRequestCredentials(true);
    provider.setUserDetailsContextMapper(userDetailsContextMapper());
    auth.authenticationProvider(provider);
    auth.userDetailsService(new MyUserDetailsService());
}

Authentication takes place with an empty password. I know that I need to insert a check for an empty password, because Not all LDAP servers return an error in this case. How and where is it better to insert a check for a blank password?

score 0 · Answer 1 · answered Apr 28 '18 at 06:54

Instead of using the ActiveDirectoryLdapAuthenticationProvider, you can make use of Spring's LdapTemplate to have a custom implementation of how you authenticate users against the LdapServer. You can refer to the recommendation here and here to configure the LDAP template.

Then, you can create a CustomAuthenticationProvider class to handle the authentication.

CustomAuthenticationProvider.class

public class CustomAuthenticationProvider implement AuthenticationProvider{

  @Autowired
  private LdapTemplate ldapTemplate;

  @Override
  public Authentication authenticate(Authentication auth) throws AuthenticationException{
    String username = auth.getName;
    String password = auth.getCredentials().toString();

    .. Your code to check whether password is blank ..

    AndFilter andFilter = new AndFilter();
    andFilter.and(new EqualFilter("<LDAP USER ATTRIBUTE>",username))
          .and(new EqualFilter("<LDAP GROUP ATTRIBUTE>","<USER GROUP>"));

    boolean isValidUser = ldapTemplate.authenticate("",andFilter.encode(),password);

    ... Your code to complete the authentication ...

{

I prefer this approach as it gives me finer control on how to authenticate the user. Here is the link to the sample I implemented previously.

Spring security LDAP check empty password

1 Answers1