accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Havanki (JIRA)" <>
Subject [jira] [Commented] (ACCUMULO-2700) SecurityOperation.authenticateSystemUser fails to properly validate system user
Date Mon, 21 Apr 2014 17:48:19 GMT


Bill Havanki commented on ACCUMULO-2700:

I believe that, in at least some cases, this bug has gone unnoticed because of an accompanying
error in {{SecurityOperation.isSystemUser()}}:

public boolean isSystemUser(TCredentials credentials) {
  return SystemCredentials.get().getToken().getClass().getName().equals(credentials.getTokenClassName());

The name of the first class in the comparison is {{$SystemToken}}.

The name of the second class, when submitted via an authentication request, is {{}}
when generated from the security randomwalk or from {{SecurityOperationsImpl}} on the client

Since these don't match, {{SecurityOperation.authenticateSystemUser()}} is not called, and
authentication occurs as for any other user, which apparently works.

> SecurityOperation.authenticateSystemUser fails to properly validate system user
> -------------------------------------------------------------------------------
>                 Key: ACCUMULO-2700
>                 URL:
>             Project: Accumulo
>          Issue Type: Bug
>            Reporter: Christopher Tubbs
>            Assignee: Christopher Tubbs
>            Priority: Blocker
>              Labels: 16_qa_bug
>             Fix For: 1.6.0
> FindBugs found in the 1.6.0-SNAPSHOT branch that {{SecurityOperation.authenticateSystemUser(TCredentials
credentials)}} does an improper comparison (equals) between AuthenticationToken and byte array.
> Additionally, upon visual inspection, it looks like the condition is not'd (missing a
! to throw the exception when the credentials don't match).
> The result appears to be that the system user is always authenticated, even if the credentials
don't match. I haven't checked 1.5 yet to see if the bug applies there also.

This message was sent by Atlassian JIRA

View raw message