5 files changed, 25 insertions, 3 deletions

diff --git a/Core/Authentication/Provider/LdapBindAuthenticationProvider.php b/Core/Authentication/Provider/LdapBindAuthenticationProvider.php
index 950b603..5ebb09a 100644
--- a/Core/Authentication/Provider/LdapBindAuthenticationProvider.php
+++ b/Core/Authentication/Provider/LdapBindAuthenticationProvider.php
@@ -73,6 +73,10 @@ class LdapBindAuthenticationProvider extends UserAuthenticationProvider
         $username = $token->getUsername();
         $password = $token->getCredentials();
 
+        if ('' === $password) {
+            throw new BadCredentialsException('The presented password must not be empty.');
+        }
+
         try {
             $username = $this->ldap->escape($username, '', LdapInterface::ESCAPE_DN);
             $dn = str_replace('{username}', $username, $this->dnString);
diff --git a/Core/Authentication/Token/AnonymousToken.php b/Core/Authentication/Token/AnonymousToken.php
index e1dfef4..2c73cb4 100644
--- a/Core/Authentication/Token/AnonymousToken.php
+++ b/Core/Authentication/Token/AnonymousToken.php
@@ -26,7 +26,7 @@ class AnonymousToken extends AbstractToken
      * Constructor.
      *
      * @param string          $secret A secret used to make sure the token is created by the app and not by a malicious client
-     * @param string          $user   The user
+     * @param string|object   $user   The user can be a UserInterface instance, or an object implementing a __toString method or the username as a regular string.
      * @param RoleInterface[] $roles  An array of roles
      */
     public function __construct($secret, $user, array $roles = array())
diff --git a/Core/Authentication/Token/PreAuthenticatedToken.php b/Core/Authentication/Token/PreAuthenticatedToken.php
index 1798203..5a3fc95 100644
--- a/Core/Authentication/Token/PreAuthenticatedToken.php
+++ b/Core/Authentication/Token/PreAuthenticatedToken.php
@@ -26,7 +26,7 @@ class PreAuthenticatedToken extends AbstractToken
     /**
      * Constructor.
      *
-     * @param string|object            $user        The user
+     * @param string|object            $user        The user can be a UserInterface instance, or an object implementing a __toString method or the username as a regular string.
      * @param mixed                    $credentials The user credentials
      * @param string                   $providerKey The provider key
      * @param RoleInterface[]|string[] $roles       An array of roles
diff --git a/Core/Security.php b/Core/Security.php
index 14d32f8..84cc77d 100644
--- a/Core/Security.php
+++ b/Core/Security.php
@@ -21,4 +21,5 @@ final class Security
     const ACCESS_DENIED_ERROR = '_security.403_error';
     const AUTHENTICATION_ERROR = '_security.last_error';
     const LAST_USERNAME = '_security.last_username';
+    const MAX_USERNAME_LENGTH = 4096;
 }
diff --git a/Core/Tests/Authentication/Provider/LdapBindAuthenticationProviderTest.php b/Core/Tests/Authentication/Provider/LdapBindAuthenticationProviderTest.php
index 4d2eead..da3068f 100644
--- a/Core/Tests/Authentication/Provider/LdapBindAuthenticationProviderTest.php
+++ b/Core/Tests/Authentication/Provider/LdapBindAuthenticationProviderTest.php
@@ -26,6 +26,23 @@ class LdapBindAuthenticationProviderTest extends \PHPUnit_Framework_TestCase
 {
     /**
      * @expectedException        \Symfony\Component\Security\Core\Exception\BadCredentialsException
+     * @expectedExceptionMessage The presented password must not be empty.
+     */
+    public function testEmptyPasswordShouldThrowAnException()
+    {
+        $userProvider = $this->getMock('Symfony\Component\Security\Core\User\UserProviderInterface');
+        $ldap = $this->getMock('Symfony\Component\Ldap\LdapClientInterface');
+        $userChecker = $this->getMock('Symfony\Component\Security\Core\User\UserCheckerInterface');
+
+        $provider = new LdapBindAuthenticationProvider($userProvider, $userChecker, 'key', $ldap);
+        $reflection = new \ReflectionMethod($provider, 'checkAuthentication');
+        $reflection->setAccessible(true);
+
+        $reflection->invoke($provider, new User('foo', null), new UsernamePasswordToken('foo', '', 'key'));
+    }
+
+    /**
+     * @expectedException        \Symfony\Component\Security\Core\Exception\BadCredentialsException
      * @expectedExceptionMessage The presented password is invalid.
      */
     public function testBindFailureShouldThrowAnException()
@@ -43,7 +60,7 @@ class LdapBindAuthenticationProviderTest extends \PHPUnit_Framework_TestCase
         $reflection = new \ReflectionMethod($provider, 'checkAuthentication');
         $reflection->setAccessible(true);
 
-        $reflection->invoke($provider, new User('foo', null), new UsernamePasswordToken('foo', '', 'key'));
+        $reflection->invoke($provider, new User('foo', null), new UsernamePasswordToken('foo', 'bar', 'key'));
     }
 
     public function testRetrieveUser()