0 Replies Latest reply on Nov 26, 2009 9:54 AM by bh00014

    Seam and LDAP authentication null password error

    bh00014

      I have setup seam authentication with Ldap by adding the following to my components.xml.


      <security:identity-manager identity-store="#{ldapIdentityStore}"/>
      
      <security:ldap-identity-store
               server-address="serverurl"
               bind-DN="cn=intranet,ou=Users,ou=SERVICES,o=COUNTY"
               bind-credentials="secret"
           user-DN-prefix="cn="
           user-DN-suffix=",ou=Users,ou=RESOURCES,o=COUNTY"
           role-DN-prefix="cn="
           role-DN-suffix=",ou=Groups,ou=RESOURCES,o=COUNTY"
           user-context-DN="ou=Users,ou=RESOURCES,o=COUNTY"
           role-context-DN="ou=Groups,ou=RESOURCES,o=COUNTY"
           user-role-attribute="groupMembership"
           role-name-attribute="cn"
           user-object-classes="Person,organizationalPerson,inetOrgPerson,groupOfNames"
           role-object-classes="group,organizationalUnit"
           first-name-attribute="givenName"
           full-name-attribute="fullName" />
      
      <event type="org.jboss.seam.security.notLoggedIn">
          <action execute="#{redirect.captureCurrentView}" />
      </event>
      
      <event type="org.jboss.seam.security.postAuthenticate">
          <action execute="#{redirect.returnToCapturedView}"/>
      </event>
      



      Then I have a simple login form


      <a4j:form id="responseForm">
          <rich:panel header="Login Page">
            <h:panelGrid columns="2" width="100%" columnClasses="loginGridCol">
                <h:outputText value="Username"/>
                <h:inputText value="#{identity.username}"/>
                <h:outputText value="Password"/>
                <h:inputSecret value="#{identity.password}"/>
            </h:panelGrid>
            <h:commandButton value="Login" type="submit" action="#identity.login}"/>
                <rich:messages style="color:red" />
           </rich:panel>
      </a4j:form>
      



      The authentication will successfully recognize a correct username and password and deny access to incorrect username/ password combinations. However if I login with a valid username and leave the password field blank, authentication is still successful and I am succesfully logged into the system.


      Is there a property that I can set im my components.xml that will prevent this from happening.