tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <knst.koli...@gmail.com>
Subject Re: Tomcat 7.0.41 JNDIRealm revision 1491394
Date Thu, 27 Jun 2013 17:51:44 GMT
2013/6/27 Brian Burch <brian@pingtoo.com>:
> I eventually got round to integration testing of 7.0.41 yesterday and was
> baffled to find I couldn't logon!
>
> To cut a long debugging story short, revision 1491394 has a bug that was
> introduced as part of the standardisation of our Base64 handling. I wasn't
> sure whether I ought to open a new bug...

Your numbering is wrong, that revision is not ours. It was this one:
http://svn.apache.org/viewvc?diff_format=l&view=revision&revision=1459346

> Here is the diff that works for me:
>
>
> Index: java/org/apache/catalina/realm/JNDIRealm.java
> ===================================================================
> --- java/org/apache/catalina/realm/JNDIRealm.java       (revision 1491394)
> +++ java/org/apache/catalina/realm/JNDIRealm.java       (working copy)
> @@ -1573,9 +1573,10 @@
>                      password = password.substring(5);
>                      md.reset();
>
> md.update(credentials.getBytes(Charset.defaultCharset()));
> -                    byte[] decoded = Base64.decodeBase64(md.digest());
> +                    byte[] digest = md.digest();
> +                    byte[] base64 = Base64.encodeBase64(digest);
>                      String digestedPassword =
> -                            new String(decoded, B2CConverter.ISO_8859_1);
> +                            new String(base64, B2CConverter.ISO_8859_1);
>                      validated = password.equals(digestedPassword);
>                  }
>              } else if (password.startsWith("{SSHA}")) {
>
>

In short,  s/ decodeBase64 / encodeBase64 /.

It is fun that {MD5}&{SHA} branch and {SSHA} branch there use
different approaches there
(encoding the user-supplied password vs. decoding the stored one).

>
> BTW. The code is identical in trunk, so this patch works there too.
>
>
> Thinks... pity some of this stuff doesn't have some lightweight unit tests.
>
> Sorry to be a informal with this notification, but I thought timeliness was
> more important than style!
>

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message