I have setup seam authentication with Ldap by adding the following to my components.xml.
<security:identity-manager identity-store="#{ldapIdentityStore}"/>
<security:ldap-identity-store
server-address="serverurl"
bind-DN="cn=intranet,ou=Users,ou=SERVICES,o=COUNTY"
bind-credentials="secret"
user-DN-prefix="cn="
user-DN-suffix=",ou=Users,ou=RESOURCES,o=COUNTY"
role-DN-prefix="cn="
role-DN-suffix=",ou=Groups,ou=RESOURCES,o=COUNTY"
user-context-DN="ou=Users,ou=RESOURCES,o=COUNTY"
role-context-DN="ou=Groups,ou=RESOURCES,o=COUNTY"
user-role-attribute="groupMembership"
role-name-attribute="cn"
user-object-classes="Person,organizationalPerson,inetOrgPerson,groupOfNames"
role-object-classes="group,organizationalUnit"
first-name-attribute="givenName"
full-name-attribute="fullName" />
<event type="org.jboss.seam.security.notLoggedIn">
<action execute="#{redirect.captureCurrentView}" />
</event>
<event type="org.jboss.seam.security.postAuthenticate">
<action execute="#{redirect.returnToCapturedView}"/>
</event>
Then I have a simple login form
<a4j:form id="responseForm">
<rich:panel header="Login Page">
<h:panelGrid columns="2" width="100%" columnClasses="loginGridCol">
<h:outputText value="Username"/>
<h:inputText value="#{identity.username}"/>
<h:outputText value="Password"/>
<h:inputSecret value="#{identity.password}"/>
</h:panelGrid>
<h:commandButton value="Login" type="submit" action="#identity.login}"/>
<rich:messages style="color:red" />
</rich:panel>
</a4j:form>
The authentication will successfully recognize a correct username and password and deny access to incorrect username/ password combinations. However if I login with a valid username and leave the password field blank, authentication is still successful and I am succesfully logged into the system.
Is there a property that I can set im my components.xml that will prevent this from happening.
