directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel Lecharny (JIRA)" <j...@apache.org>
Subject [jira] Commented: (DIRSERVER-868) SimpleAuthenticator contains many potential pbs
Date Sat, 10 Mar 2007 16:40:09 GMT

    [ https://issues.apache.org/jira/browse/DIRSERVER-868?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12479857
] 

Emmanuel Lecharny commented on DIRSERVER-868:
---------------------------------------------

The cache has been reactivated, becuase the potential speedup is enormous. And alsso because
Alex fixed the issue we had about the non-refreshed cache when a user change his password.

However, the cache is now a LRU, and is synchronized.

> SimpleAuthenticator contains many potential pbs
> -----------------------------------------------
>
>                 Key: DIRSERVER-868
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-868
>             Project: Directory ApacheDS
>          Issue Type: Bug
>    Affects Versions: 1.0.1, 1.5.0
>            Reporter: Emmanuel Lecharny
>         Assigned To: Emmanuel Lecharny
>             Fix For: 1.5.0
>
>
> While analysing the Authenticator classes, I found that the SimpleAutheticator won't
deal correctly with many potential cases :
> - The credentials stored in the java.naming.security.credentials may be a byte array,
so transfming it to a String may simply fail
> - as we use a WeakHashMap to store some cached passwords, it would be good to check that
the passward has correctly been got from the cache, not that the password exists in the cache
then try to get it. We may have a null password in this case.
> - it may be possible that the user hasn't created a password. In this case, we will get
an Authentication error because the password won't be found on the server, and the code is
expecting to get something.
> - if the password is encrypted, it must be stored as a base 64 encoded String into the
server, prefixed with the encryption mechanism. This is OK, but then we can compare passwords
using a String comparizon, not a Arrays.equals() on byte arrays, as both elements are Strings.
> I might have missed some steps, or be wrong, so consider this JIRA as a reminder for
the real issues.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message