This resolves CVE-2014-0097 which allows a malicious user to impersonate a user with an empty password if ALL of the following hold true:
- The application is using ActiveDirectoryLdapAuthenticator
- The directory allows anonymous binds (not recommended)
NOTE: This does NOT impact users of LdapAuthenticationProvider or <ldap-authentication-provider>
There is already a check for an empty password when using normal LDAP authentication, but it is in BindAuthenticator, which is not used by ActiveDirectoryLdapAuthenticator. The latter has its own bind method which does not check the password length. If the directory allows anonymous binds (I'm not sure whether this is an issue with AD), then it may incorrectly authenticate a user who supplies an empty password.
The password length check should be moved to AbstractLdapAuthenticationProvide.authenticate.