SEC-2308: DefaultSpringSecurityContextSource allow empty baseUrl

2013-09-13 15:53:35 -07:00 · 2013-09-13 15:53:35 -07:00 · b4cbcee7f0
parent f6587c8697
commit b4cbcee7f0
2 changed files with 14 additions and 3 deletions
--- a/ldap/src/integration-test/java/org/springframework/security/ldap/DefaultSpringSecurityContextSourceTests.java
+++ b/ldap/src/integration-test/java/org/springframework/security/ldap/DefaultSpringSecurityContextSourceTests.java
@ -95,6 +95,20 @@ public class DefaultSpringSecurityContextSourceTests extends AbstractLdapIntegra
        assertTrue(ctxSrc.isPooled());
    }

+    // SEC-2308
+    @Test
+    public void instantiationSuceedsWithEmtpyBaseDn() throws Exception {
+        String baseDn = "";
+        List<String> serverUrls = new ArrayList<String>();
+        serverUrls.add("ldap://foo:789");
+        serverUrls.add("ldap://bar:389");
+        serverUrls.add("ldaps://blah:636");
+        DefaultSpringSecurityContextSource ctxSrc = new DefaultSpringSecurityContextSource(serverUrls, baseDn);
+
+        assertFalse(ctxSrc.isAnonymousReadOnly());
+        assertTrue(ctxSrc.isPooled());
+    }
+
    @Test(expected=IllegalArgumentException.class)
    public void instantiationFailsWithIncorrectServerUrl() throws Exception {
        List<String> serverUrls = new ArrayList<String>();
--- a/ldap/src/main/java/org/springframework/security/ldap/DefaultSpringSecurityContextSource.java
+++ b/ldap/src/main/java/org/springframework/security/ldap/DefaultSpringSecurityContextSource.java
@ -123,9 +123,6 @@ public class DefaultSpringSecurityContextSource extends LdapContextSource {
            if ("".equals(trimmedUrl)) {
                continue;
            }
-            if (trimmedUrl.contains(trimmedBaseDn)) {
-                throw new IllegalArgumentException("LDAP URL string must not include the base DN! '" + trimmedUrl + "'");
-            }

            providerUrl.append(trimmedUrl);
            if (! trimmedUrl.endsWith("/")) {