LDAP-225: Authentication documentation is misleading

[rwinch]

Original Reporter: tb019024 Environment: Documentation Version: 1.3.0 Migrated From: https://jira.spring.io//browse/LDAP-225 The documentation[1] for using Spring LDAP to authenticate users is slightly misleading. In particular, the first code block (section 10.1) is shown to generally be poor practice by the second code block (section 10.2). I suggest that the two sections be merged, or at least that the first section explicitly specify that it will not work for all directory configurations.

[1] http://static.springsource.org/spring-ldap/docs/1.3.x/reference/html/user-authentication.html

[rwinch]

ulsa said: I agree that it could perhaps be stated better, but I'm not sure how. Do you have any suggestion?

We try to be very specific about the caveat. A couple of lines below the first example, the following advice can be read: {noformat} Some authentication schemes and LDAP servers require some operation to be performed on the created DirContext instance for the actual authentication to occur. You should test and make sure how your server setup and authentication schemes behave; failure to do so might result in that users will be admitted into your system regardless of the DN/credentials supplied. {noformat}

Are you saying that this is not clear enough, or do you suggest that it should be moved to the previous section?

[rwinch]

tb019024 said: I think that paragraph is pretty clear, but it would be more visible if it were moved earlier in the document. It's not an excuse, but I think it's easy to read the first code snippet, assume that it represents a good solution for something "simple," and skip the rest of the explanation. Obviously people should read the whole page, but since the resulting bug is very subtle, I think it's helpful to be a bit more up-front about this behavior.

[rwinch]

marthursson said: Added a clarifying note