directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jonah Beckford (JIRA)" <j...@apache.org>
Subject [jira] Created: (DIRSERVER-1007) SimpleAuthenticator rejects cached one-way encrypted passwords
Date Tue, 24 Jul 2007 18:35:31 GMT
SimpleAuthenticator rejects cached one-way encrypted passwords
--------------------------------------------------------------

                 Key: DIRSERVER-1007
                 URL: https://issues.apache.org/jira/browse/DIRSERVER-1007
             Project: Directory ApacheDS
          Issue Type: Bug
    Affects Versions: 1.5.0
            Reporter: Jonah Beckford
            Priority: Minor


Conditions

- userPassword is stored as {SHA} (or some other one-way encryption) in the DIT
- authentication request has password credentials sent in plain text

Behavior

- The first authentication request is successful.
- All subsequent requests fail

Cause

- The one-way encrypted password is stored in the credentialCache after the first request,
and subsequent (plain text) requests don't match what is stored in the credentialCache

Fix

- Do the same match checking on each request, regardless whether in cache or not in cache
- Change SimpleAuthenticator::authenticate from:

        if ( principal != null )
        {
            // Found ! Are the password equals ?
            credentialsMatch = Arrays.equals( credentials, principal.getUserPassword() );
        }
        else
        {
            // Not found :(...
            // Get the user password from the backend
            byte[] userPassword = lookupUserPassword( principalDn );
            
            ... BLOCK # 1 ...
        }

to:
        // Get the user password (from the backend if not in the cache)
        byte[] userPassword = null;
        if (principal == null)
             userPassword = lookupUserPassword(principalDn);
        else
             userPassword = principal.getUserPassword();

        ... BLOCK # 1 ...



-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message