tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Burch <>
Subject Tomcat 7.0.41 JNDIRealm revision 1491394
Date Thu, 27 Jun 2013 17:34:25 GMT
I eventually got round to integration testing of 7.0.41 yesterday and 
was baffled to find I couldn't logon!

To cut a long debugging story short, revision 1491394 has a bug that was 
introduced as part of the standardisation of our Base64 handling. I 
wasn't sure whether I ought to open a new bug...

Here is the diff that works for me:

Index: java/org/apache/catalina/realm/
--- java/org/apache/catalina/realm/	(revision 1491394)
+++ java/org/apache/catalina/realm/	(working copy)
@@ -1573,9 +1573,10 @@
                      password = password.substring(5);
-                    byte[] decoded = Base64.decodeBase64(md.digest());
+                    byte[] digest = md.digest();
+                    byte[] base64 = Base64.encodeBase64(digest);
                      String digestedPassword =
-                            new String(decoded, B2CConverter.ISO_8859_1);
+                            new String(base64, B2CConverter.ISO_8859_1);
                      validated = password.equals(digestedPassword);
              } else if (password.startsWith("{SSHA}")) {

BTW. The code is identical in trunk, so this patch works there too.

Thinks... pity some of this stuff doesn't have some lightweight unit tests.

Sorry to be a informal with this notification, but I thought timeliness 
was more important than style!


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message