I have setup seam authentication with Ldap by adding the following to my components.xml.
<security:identity-manager identity-store="#{ldapIdentityStore}"/> <security:ldap-identity-store server-address="serverurl" bind-DN="cn=intranet,ou=Users,ou=SERVICES,o=COUNTY" bind-credentials="secret" user-DN-prefix="cn=" user-DN-suffix=",ou=Users,ou=RESOURCES,o=COUNTY" role-DN-prefix="cn=" role-DN-suffix=",ou=Groups,ou=RESOURCES,o=COUNTY" user-context-DN="ou=Users,ou=RESOURCES,o=COUNTY" role-context-DN="ou=Groups,ou=RESOURCES,o=COUNTY" user-role-attribute="groupMembership" role-name-attribute="cn" user-object-classes="Person,organizationalPerson,inetOrgPerson,groupOfNames" role-object-classes="group,organizationalUnit" first-name-attribute="givenName" full-name-attribute="fullName" /> <event type="org.jboss.seam.security.notLoggedIn"> <action execute="#{redirect.captureCurrentView}" /> </event> <event type="org.jboss.seam.security.postAuthenticate"> <action execute="#{redirect.returnToCapturedView}"/> </event>
Then I have a simple login form
<a4j:form id="responseForm"> <rich:panel header="Login Page"> <h:panelGrid columns="2" width="100%" columnClasses="loginGridCol"> <h:outputText value="Username"/> <h:inputText value="#{identity.username}"/> <h:outputText value="Password"/> <h:inputSecret value="#{identity.password}"/> </h:panelGrid> <h:commandButton value="Login" type="submit" action="#identity.login}"/> <rich:messages style="color:red" /> </rich:panel> </a4j:form>
The authentication will successfully recognize a correct username and password and deny access to incorrect username/ password combinations. However if I login with a valid username and leave the password field blank, authentication is still successful and I am succesfully logged into the system.
Is there a property that I can set im my components.xml that will prevent this from happening.