geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ashish Jain (JIRA)" <j...@apache.org>
Subject [jira] Created: (GERONIMO-4983) In debug mode Properties file login module reurns loginsucceeded as true for non existent users and null password
Date Fri, 11 Dec 2009 10:09:18 GMT
In debug mode Properties file login module reurns loginsucceeded as true for non existent users
and null password
-----------------------------------------------------------------------------------------------------------------

                 Key: GERONIMO-4983
                 URL: https://issues.apache.org/jira/browse/GERONIMO-4983
             Project: Geronimo
          Issue Type: Bug
      Security Level: public (Regular issues)
    Affects Versions: 2.1.4, 2.2
         Environment: windows Xp, eclipse
            Reporter: Ashish Jain
             Fix For: 2.2.1


While debugging one of the login fallback code I see that PropertiesFileLoginModule.java returns
loginsucceeded as true for a non-existent user and null password.
This happens under the following use case.

In the BasicAuthenticator Code I have the following
String username=header.substring(10);
String password=null;
principal = context.getRealm().authenticate(username, password);

In the login method of PropertiesFileLoginModule as per the above usecase we will have
realPassword as null and password as null as a result "if (!checkPassword(realPassword, password))"
will be skipped and hence resulting in loginSucceeded=true.



-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message