SONAR-3968 Sonar should not allow any login with a blank password even when this authentication depends on an external system like LDAP

author: Julien Lancelot <julien.lancelot@gmail.com> 2012-11-27 10:44:40 +0100
committer: Julien Lancelot <julien.lancelot@gmail.com> 2012-11-27 10:46:09 +0100
commit: 16c86195a6f172ad79fe27fa6d6b80c4515b71e7 (patch)
tree: 4b0130d25d5bd860b9a564c38a5f846381c7483c
parent: 4b0679d4670f131be4e6f5905a48b5bb5f2396e0 (diff)
download: sonarqube-16c86195a6f172ad79fe27fa6d6b80c4515b71e7.tar.gz
sonarqube-16c86195a6f172ad79fe27fa6d6b80c4515b71e7.zip
3 files changed, 32 insertions, 26 deletions
diff --git a/plugins/sonar-core-plugin/src/main/resources/org/sonar/l10n/core.properties b/plugins/sonar-core-plugin/src/main/resources/org/sonar/l10n/core.properties
index a21573326fc..8ab87ede62f 100644
--- a/plugins/sonar-core-plugin/src/main/resources/org/sonar/l10n/core.properties
+++ b/plugins/sonar-core-plugin/src/main/resources/org/sonar/l10n/core.properties
@@ -375,6 +375,7 @@ sessions.confirm_password=Confirm password
 sessions.sign_up=Sign up
 sessions.old_account=<a href="{0}" tabindex="-1">Log in</a> if you already have an account.
 session.flash_notice.authentication_failed=Authentication failed.
+session.flash_notice.empty_password=Password can't be blank.
 session.flash_notice.logged_out=You have been logged out.
 
 #------------------------------------------------------------------------------
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/sessions_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/sessions_controller.rb
index 3098ad32268..4b56c58b76c 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/sessions_controller.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/sessions_controller.rb
@@ -26,16 +26,19 @@ class SessionsController < ApplicationController
   
   def login
     return unless request.post?
-
-    self.current_user = User.authenticate(params[:login], params[:password], servlet_request)
-    if logged_in?
-      if params[:remember_me] == '1'
-        self.current_user.remember_me
-        cookies[:auth_token] = { :value => self.current_user.remember_token , :expires => self.current_user.remember_token_expires_at }
-      end
-      redirect_back_or_default(home_url)
+    if params[:password].blank?
+      flash.now[:loginerror] = message('session.flash_notice.empty_password')
     else
-      flash.now[:loginerror] = message('session.flash_notice.authentication_failed')
+      self.current_user = User.authenticate(params[:login], params[:password], servlet_request)
+      if logged_in?
+        if params[:remember_me] == '1'
+          self.current_user.remember_me
+          cookies[:auth_token] = { :value => self.current_user.remember_token , :expires => self.current_user.remember_token_expires_at }
+        end
+        redirect_back_or_default(home_url)
+      else
+        flash.now[:loginerror] = message('session.flash_notice.authentication_failed')
+      end
     end
   end
 
diff --git a/sonar-server/src/main/webapp/WEB-INF/lib/need_authentication.rb b/sonar-server/src/main/webapp/WEB-INF/lib/need_authentication.rb
index 7e3ffd3a7e0..7c2a5fd4050 100644
--- a/sonar-server/src/main/webapp/WEB-INF/lib/need_authentication.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/lib/need_authentication.rb
@@ -49,26 +49,28 @@ class PluginRealm
   end
 
   def authenticate?(username, password, servlet_request)
-    details=nil
-    if @java_users_provider
-      begin
-        provider_context = org.sonar.api.security.ExternalUsersProvider::Context.new(username, servlet_request)
-        details = @java_users_provider.doGetUserDetails(provider_context)
-      rescue Exception => e
-        Rails.logger.error("Error from external users provider: #{e.message}")
-        @save_password ? fallback(username, password) : false
-      else
-        if details
-          # User exist in external system
-          auth(username, password, servlet_request, details)
+    unless password.blank?
+      details=nil
+      if @java_users_provider
+        begin
+          provider_context = org.sonar.api.security.ExternalUsersProvider::Context.new(username, servlet_request)
+          details = @java_users_provider.doGetUserDetails(provider_context)
+        rescue Exception => e
+          Rails.logger.error("Error from external users provider: #{e.message}")
+          @save_password ? fallback(username, password) : false
         else
-          # No such user in external system
-          fallback(username, password)
+          if details
+            # User exist in external system
+            auth(username, password, servlet_request, details)
+          else
+            # No such user in external system
+            fallback(username, password)
+          end
         end
+      else
+        # Legacy authenticator
+        auth(username, password, servlet_request, nil)
       end
-    else
-      # Legacy authenticator
-      auth(username, password, servlet_request, nil)
     end
   end
author	Julien Lancelot <julien.lancelot@gmail.com>	2012-11-27 10:44:40 +0100
committer	Julien Lancelot <julien.lancelot@gmail.com>	2012-11-27 10:46:09 +0100
commit	16c86195a6f172ad79fe27fa6d6b80c4515b71e7 (patch)
tree	4b0130d25d5bd860b9a564c38a5f846381c7483c
parent	4b0679d4670f131be4e6f5905a48b5bb5f2396e0 (diff)
download	sonarqube-16c86195a6f172ad79fe27fa6d6b80c4515b71e7.tar.gz sonarqube-16c86195a6f172ad79fe27fa6d6b80c4515b71e7.zip