Return-Path: X-Original-To: apmail-tomcat-dev-archive@www.apache.org Delivered-To: apmail-tomcat-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 546F21008E for ; Thu, 27 Jun 2013 18:24:01 +0000 (UTC) Received: (qmail 71078 invoked by uid 500); 27 Jun 2013 18:24:00 -0000 Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org Received: (qmail 70956 invoked by uid 500); 27 Jun 2013 18:23:59 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 70947 invoked by uid 99); 27 Jun 2013 18:23:57 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 27 Jun 2013 18:23:57 +0000 X-ASF-Spam-Status: No, hits=1.0 required=5.0 tests=SPF_HELO_PASS,SPF_SOFTFAIL X-Spam-Check-By: apache.org Received-SPF: softfail (athena.apache.org: transitioning domain of brian@pingtoo.com does not designate 217.154.193.216 as permitted sender) Received: from [217.154.193.216] (HELO mail2.pingtoo.com) (217.154.193.216) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 27 Jun 2013 18:23:53 +0000 Received: from [10.1.252.60] (unknown [10.1.252.60]) by mail.pingtoo.com (Postfix) with ESMTPA id 762D41708EC for ; Thu, 27 Jun 2013 19:23:23 +0100 (BST) Message-ID: <51CC8316.9060500@PingToo.com> Date: Thu, 27 Jun 2013 19:23:18 +0100 From: Brian Burch User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130623 Thunderbird/17.0.7 MIME-Version: 1.0 To: Tomcat Developers List Subject: Re: Tomcat 7.0.41 JNDIRealm revision 1491394 References: <51CC77A1.1030108@PingToo.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org On 27/06/13 18:51, Konstantin Kolinko wrote: > 2013/6/27 Brian Burch : >> I eventually got round to integration testing of 7.0.41 yesterday and was >> baffled to find I couldn't logon! >> >> To cut a long debugging story short, revision 1491394 has a bug that was >> introduced as part of the standardisation of our Base64 handling. I wasn't >> sure whether I ought to open a new bug... > > Your numbering is wrong, that revision is not ours. It was this one: > http://svn.apache.org/viewvc?diff_format=l&view=revision&revision=1459346 Yes, I see what you mean and agree. I'm puzzled that my svn diff reported the wrong revision, which is a pity because I put it in the new thread subject and we will have to live with it unless you can retrospectively edit the entries? Thanks for finding the correct revision. > >> Here is the diff that works for me: >> >> >> Index: java/org/apache/catalina/realm/JNDIRealm.java >> =================================================================== >> --- java/org/apache/catalina/realm/JNDIRealm.java (revision 1491394) >> +++ java/org/apache/catalina/realm/JNDIRealm.java (working copy) >> @@ -1573,9 +1573,10 @@ >> password = password.substring(5); >> md.reset(); >> >> md.update(credentials.getBytes(Charset.defaultCharset())); >> - byte[] decoded = Base64.decodeBase64(md.digest()); >> + byte[] digest = md.digest(); >> + byte[] base64 = Base64.encodeBase64(digest); >> String digestedPassword = >> - new String(decoded, B2CConverter.ISO_8859_1); >> + new String(base64, B2CConverter.ISO_8859_1); >> validated = password.equals(digestedPassword); >> } >> } else if (password.startsWith("{SSHA}")) { >> >> > > In short, s/ decodeBase64 / encodeBase64 /. Yes. I wanted to break the logic up because I needed to encode/decode my test cases by hand! I didn't trust my own external cribs and suspected I was digging into a difference between the sun and openjdk digest engines. Pencil/paper/hexadecimal calculator... I didn't want to go round the loop of another source change/build/deploy/test/debug/diff. You got the idea, just as I expected. Imagine my surprise when I got 80% through the exercise and spotted the "backwards" choice of Base64 method! > It is fun that {MD5}&{SHA} branch and {SSHA} branch there use > different approaches there > (encoding the user-supplied password vs. decoding the stored one). Actually, I can sort-of understand the person adding SSHA doing his/her own thing and not wanting to change logic that is stable and works (well, it did in 7.0.28!). If we are looking for a vote, I prefer the way MD5/SHA does it. It takes the user-supplied cleartext and digest/encodes it in a forward direction, such that the directory hash is never exposed in situations where the supplied value is incorrect. >> BTW. The code is identical in trunk, so this patch works there too. >> >> >> Thinks... pity some of this stuff doesn't have some lightweight unit tests. >> >> Sorry to be a informal with this notification, but I thought timeliness was >> more important than style! So.... will you deal with it from now on, or would you like me to open bugs on tc7 and tc8? Brian > > Best regards, > Konstantin Kolinko > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org > For additional commands, e-mail: dev-help@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org