simple SECURITY AUTHENTICATION without username/password yields results

Question

Why does this work?

env.put(Context.PROVIDER_URL, "ldap://localhost:10389/o=csRepository");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
//env.put(Context.SECURITY_PRINCIPAL, "cn=John Eipe, ou=employees, o=csRepository");
//env.put(Context.SECURITY_CREDENTIALS, "qwer1234");

DirContext ctx = new InitialDirContext(env);
//operations on ctx

My understanding is that when SECURITY_AUTHENTICATION is specified as simple and no username or password is specified then it should throw javax.naming.AuthenticationException.

Answer 1

Solved. Sadly that's how it works. It's stated as below in Oracle docs.

If you supply an empty string, an empty byte/char array, or null to the Context.SECURITY_CREDENTIALS environment property, then the authentication mechanism will be "none". This is because the LDAP requires the password to be nonempty for simple authentication. The protocol automatically converts the authentication to "none" if a password is not supplied.

This causes serious security breach. But, I guess it is left to the application to validate.