Return-Path: Delivered-To: apmail-geronimo-dev-archive@www.apache.org Received: (qmail 75403 invoked from network); 11 Dec 2009 10:09:44 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 11 Dec 2009 10:09:44 -0000 Received: (qmail 86469 invoked by uid 500); 11 Dec 2009 10:09:41 -0000 Delivered-To: apmail-geronimo-dev-archive@geronimo.apache.org Received: (qmail 86319 invoked by uid 500); 11 Dec 2009 10:09:41 -0000 Mailing-List: contact dev-help@geronimo.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: dev@geronimo.apache.org List-Id: Delivered-To: mailing list dev@geronimo.apache.org Received: (qmail 86069 invoked by uid 99); 11 Dec 2009 10:09:41 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 11 Dec 2009 10:09:41 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.140] (HELO brutus.apache.org) (140.211.11.140) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 11 Dec 2009 10:09:39 +0000 Received: from brutus (localhost [127.0.0.1]) by brutus.apache.org (Postfix) with ESMTP id 5798F234C4AA for ; Fri, 11 Dec 2009 02:09:18 -0800 (PST) Message-ID: <819885716.1260526158357.JavaMail.jira@brutus> Date: Fri, 11 Dec 2009 10:09:18 +0000 (UTC) From: "Ashish Jain (JIRA)" To: dev@geronimo.apache.org Subject: [jira] Assigned: (GERONIMO-4983) In debug mode Properties file login module reurns loginsucceeded as true for non existent users and null password In-Reply-To: <763443418.1260526158345.JavaMail.jira@brutus> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/GERONIMO-4983?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ashish Jain reassigned GERONIMO-4983: ------------------------------------- Assignee: Ashish Jain > In debug mode Properties file login module reurns loginsucceeded as true for non existent users and null password > ----------------------------------------------------------------------------------------------------------------- > > Key: GERONIMO-4983 > URL: https://issues.apache.org/jira/browse/GERONIMO-4983 > Project: Geronimo > Issue Type: Bug > Security Level: public(Regular issues) > Affects Versions: 2.1.4, 2.2 > Environment: windows Xp, eclipse > Reporter: Ashish Jain > Assignee: Ashish Jain > Fix For: 2.1.5, 2.2.1 > > > While debugging one of the login fallback code I see that PropertiesFileLoginModule.java returns loginsucceeded as true for a non-existent user and null password. > This happens under the following use case. > In the BasicAuthenticator Code I have the following > String username=header.substring(10); > String password=null; > principal = context.getRealm().authenticate(username, password); > In the login method of PropertiesFileLoginModule as per the above usecase we will have > realPassword as null and password as null as a result "if (!checkPassword(realPassword, password))" > will be skipped and hence resulting in loginSucceeded=true. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.