directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andreas Oberritter (JIRA)" <j...@apache.org>
Subject [jira] Created: (DIRSERVER-1540) Login possible using password hash
Date Fri, 13 Aug 2010 19:39:19 GMT
Login possible using password hash
----------------------------------

                 Key: DIRSERVER-1540
                 URL: https://issues.apache.org/jira/browse/DIRSERVER-1540
             Project: Directory ApacheDS
          Issue Type: Bug
          Components: ldap
    Affects Versions: 2.0.0-RC1
            Reporter: Andreas Oberritter
             Fix For: 2.0.0-RC1


from IRC:

file: core/src/main/java/org/apache/directory/server/core/authn/SimpleAuthenticator.java
method: public LdapPrincipal authenticate( BindOperationContext bindContext )

you can see a code block starting with:

         // Short circuit for PLAIN TEXT passwords : we compare the byte array directly
         // Are the passwords equal ?
         if ( Arrays.equals( credentials, storedPassword ) )

i think you should move this block to the algorithm == null case some lines below

the test case would be:
1) store a password with any hashed algorithm.
2) base64 decode it.
3) use the result to bind to the ldap server


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message