AWS logo
Amazon CodeGuruDetector Library

Unauthenticated LDAP requests High

Do not use anonymous or unauthenticated authentication mechanisms with a blind LDAP client request because they allow unauthorized access without passwords.

Detector ID
java/ldap-authentication@v1.0
Category
Common Weakness Enumeration (CWE) external icon

Noncompliant example

1public void createDirContextNoncompliant(String password) throws NamingException {
2    Hashtable<String, Object> environment = new Hashtable<>();
3    environment.put(Context.INITIAL_CONTEXT_FACTORY, "ldap context factory");
4    environment.put(Context.PROVIDER_URL, "context provider url");
5    // Noncompliant: authentication disabled.
6    environment.put(Context.SECURITY_AUTHENTICATION, "none");
7    DirContext dirContext = new InitialDirContext(environment);
8}

Compliant example

1public void createDirContextCompliant(String password) throws NamingException {
2    Hashtable<String, Object> environment = new Hashtable<>();
3    environment.put(Context.INITIAL_CONTEXT_FACTORY, "ldap context factory");
4    environment.put(Context.PROVIDER_URL, "context provider url");
5    // Compliant: simple security authentication used.
6    environment.put(Context.SECURITY_AUTHENTICATION, "simple");
7    environment.put(Context.SECURITY_PRINCIPAL, "a=something, b=something, c=something else");
8    environment.put(Context.SECURITY_CREDENTIALS, password);
9    DirContext dirContext = new InitialDirContext(environment);
10}