directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kiran Ayyagari (JIRA)" <j...@apache.org>
Subject [jira] Closed: (DIRSERVER-1540) Login possible using password hash
Date Mon, 16 Aug 2010 10:13:17 GMT

     [ https://issues.apache.org/jira/browse/DIRSERVER-1540?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Kiran Ayyagari closed DIRSERVER-1540.
-------------------------------------

      Assignee: Kiran Ayyagari
    Resolution: Fixed

Fixed here http://svn.apache.org/viewvc?rev=985854&view=rev

> Login possible using password hash
> ----------------------------------
>
>                 Key: DIRSERVER-1540
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-1540
>             Project: Directory ApacheDS
>          Issue Type: Bug
>          Components: ldap
>    Affects Versions: 2.0.0-RC1
>            Reporter: Andreas Oberritter
>            Assignee: Kiran Ayyagari
>             Fix For: 2.0.0-RC1
>
>
> from IRC:
> file: core/src/main/java/org/apache/directory/server/core/authn/SimpleAuthenticator.java
> method: public LdapPrincipal authenticate( BindOperationContext bindContext )
> you can see a code block starting with:
>          // Short circuit for PLAIN TEXT passwords : we compare the byte array directly
>          // Are the passwords equal ?
>          if ( Arrays.equals( credentials, storedPassword ) )
> i think you should move this block to the algorithm == null case some lines below
> the test case would be:
> 1) store a password with any hashed algorithm.
> 2) base64 decode it.
> 3) use the result to bind to the ldap server

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message