I use jboss 3.2.2 and i configure application-policy with LdapLoginModule for my application.
<application-policy name = "my_ldap"> <authentication> <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag= "required"> <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option> <module-option name="java.naming.provider.url">ldap://ldap-server:389/</module-option> <module-option name="java.naming.security.authentication">simple</module-option> <module-option name="principalDNPrefix">uid=</module-option> <module-option name="principalDNSuffix">,ou=People,dc=mycompany,dc=com</module-option> <module-option name="uidAttributeID">memberUid</module-option> <module-option name="roleAttributeID">cn</module-option> <module-option name="roleNameAttributeId">cn</module-option> <module-option name="roleAttributeIsDN">false</module-option> <module-option name="matchOnUserDN">false</module-option> <module-option name = "rolesCtxDN">ou=Group,dc=mycompany,dc=com</module-option> <module-option name = "unauthenticatedIdentity">nobody</module-option> </login-module> </authentication> </application-policy>
Your LDAP server is configured to allow anonymous access. Disable the anonymous access and then you're ok. However I would like to know this application-policy is configured using which LDAP server?