geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ammul...@apache.org
Subject svn commit: r227441 - in /geronimo/trunk/modules/security/src: java/org/apache/geronimo/security/realm/providers/ test/org/apache/geronimo/security/jaas/
Date Thu, 04 Aug 2005 17:38:44 GMT
Author: ammulder
Date: Thu Aug  4 10:38:36 2005
New Revision: 227441

URL: http://svn.apache.org/viewcvs?rev=227441&view=rev
Log:
Guard against null password in security login modules (GERONIMO-852)

Modified:
    geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/PropertiesFileLoginModule.java
    geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/SQLLoginModule.java
    geronimo/trunk/modules/security/src/test/org/apache/geronimo/security/jaas/LoginPropertiesFileTest.java
    geronimo/trunk/modules/security/src/test/org/apache/geronimo/security/jaas/LoginSQLTest.java

Modified: geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/PropertiesFileLoginModule.java
URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/PropertiesFileLoginModule.java?rev=227441&r1=227440&r2=227441&view=diff
==============================================================================
--- geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/PropertiesFileLoginModule.java
(original)
+++ geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/PropertiesFileLoginModule.java
Thu Aug  4 10:38:36 2005
@@ -132,9 +132,11 @@
         if(username == null || username.equals("")) {
             return false;
         }
-        password = users.getProperty(username);
-
-        return new String(((PasswordCallback) callbacks[1]).getPassword()).equals(password);
+        String realPassword = users.getProperty(username);
+        char[] entered = ((PasswordCallback) callbacks[1]).getPassword();
+        password = entered == null ? null : new String(entered);
+        return (realPassword == null && password == null) ||
+                (realPassword != null && password != null && realPassword.equals(password));
     }
 
     public boolean commit() throws LoginException {

Modified: geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/SQLLoginModule.java
URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/SQLLoginModule.java?rev=227441&r1=227440&r2=227441&view=diff
==============================================================================
--- geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/SQLLoginModule.java
(original)
+++ geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/SQLLoginModule.java
Thu Aug  4 10:38:36 2005
@@ -103,7 +103,8 @@
         if(cbUsername == null || cbUsername.equals("")) {
             return false;
         }
-        cbPassword = new String(((PasswordCallback) callbacks[1]).getPassword());
+        char[] provided = ((PasswordCallback) callbacks[1]).getPassword();
+        cbPassword = provided == null ? null : new String(provided);
 
         boolean found = false;
         try {
@@ -119,7 +120,8 @@
                             String userName = result.getString(1);
                             String userPassword = result.getString(2);
 
-                            if (cbUsername.equals(userName) && cbPassword.equals(userPassword))
{
+                            if (cbUsername.equals(userName) && ((cbPassword == null
&& userPassword == null) ||
+                                     (cbPassword != null && userPassword != null
&& cbPassword.equals(userPassword)))) {
                                 found = true;
                                 break;
                             }

Modified: geronimo/trunk/modules/security/src/test/org/apache/geronimo/security/jaas/LoginPropertiesFileTest.java
URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/security/src/test/org/apache/geronimo/security/jaas/LoginPropertiesFileTest.java?rev=227441&r1=227440&r2=227441&view=diff
==============================================================================
--- geronimo/trunk/modules/security/src/test/org/apache/geronimo/security/jaas/LoginPropertiesFileTest.java
(original)
+++ geronimo/trunk/modules/security/src/test/org/apache/geronimo/security/jaas/LoginPropertiesFileTest.java
Thu Aug  4 10:38:36 2005
@@ -25,6 +25,7 @@
 import javax.management.ObjectName;
 import javax.security.auth.Subject;
 import javax.security.auth.login.LoginContext;
+import javax.security.auth.login.LoginException;
 
 import org.apache.geronimo.gbean.GBeanData;
 import org.apache.geronimo.security.AbstractTest;
@@ -163,5 +164,25 @@
         context.logout();
 
         assertTrue("id of server subject should be null", ContextManager.getSubjectId(subject)
== null);
+    }
+
+    public void testNullUserLogin() throws Exception {
+        LoginContext context = new LoginContext("properties-client", new UsernamePasswordCallback(null,
"starcraft"));
+
+        try {
+            context.login();
+            fail("Should not allow this login with null username");
+        } catch (LoginException e) {
+        }
+    }
+
+    public void testNullPasswordLogin() throws Exception {
+        LoginContext context = new LoginContext("properties-client", new UsernamePasswordCallback("alan",
null));
+
+        try {
+            context.login();
+            fail("Should not allow this login with null password");
+        } catch (LoginException e) {
+        }
     }
 }

Modified: geronimo/trunk/modules/security/src/test/org/apache/geronimo/security/jaas/LoginSQLTest.java
URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/security/src/test/org/apache/geronimo/security/jaas/LoginSQLTest.java?rev=227441&r1=227440&r2=227441&view=diff
==============================================================================
--- geronimo/trunk/modules/security/src/test/org/apache/geronimo/security/jaas/LoginSQLTest.java
(original)
+++ geronimo/trunk/modules/security/src/test/org/apache/geronimo/security/jaas/LoginSQLTest.java
Thu Aug  4 10:38:36 2005
@@ -24,6 +24,7 @@
 import javax.management.ObjectName;
 import javax.security.auth.Subject;
 import javax.security.auth.login.LoginContext;
+import javax.security.auth.login.LoginException;
 
 import org.apache.geronimo.gbean.GBeanData;
 import org.apache.geronimo.security.AbstractTest;
@@ -151,5 +152,25 @@
         assertTrue("id of principal should be non-zero", principal.getId().getSubjectId().longValue()
!= 0);
 
         context.logout();
+    }
+
+    public void testNullUserLogin() throws Exception {
+        LoginContext context = new LoginContext("sql", new UsernamePasswordCallback(null,
"starcraft"));
+
+        try {
+            context.login();
+            fail("Should not allow this login with null username");
+        } catch (LoginException e) {
+        }
+    }
+
+    public void testNullPasswordLogin() throws Exception {
+        LoginContext context = new LoginContext("sql", new UsernamePasswordCallback("alan",
null));
+
+        try {
+            context.login();
+            fail("Should not allow this login with null password");
+        } catch (LoginException e) {
+        }
     }
 }



Mime
View raw message