[
https://issues.apache.org/jira/browse/GERONIMO-4983?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12830973#action_12830973
]
Donald Woods commented on GERONIMO-4983:
----------------------------------------
Patch applied to 2.1.5-SNAPSHOT, 2.2.1-SNAPSHOT and 3.0-SNAPSHOT using
GERONIMO-5132.
> In debug mode Properties file login module reurns loginsucceeded as true for
> non existent users and null password
> -----------------------------------------------------------------------------------------------------------------
>
> Key: GERONIMO-4983
> URL: https://issues.apache.org/jira/browse/GERONIMO-4983
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Affects Versions: 2.1.4, 2.2
> Environment: windows Xp, eclipse
> Reporter: Ashish Jain
> Assignee: Ashish Jain
> Fix For: 2.1.5, 2.2.1
>
> Attachments: GERONIMO-4983.patch
>
>
> While debugging one of the login fallback code I see that
> PropertiesFileLoginModule.java returns loginsucceeded as true for a
> non-existent user and null password.
> This happens under the following use case.
> In the BasicAuthenticator Code I have the following
> String username=header.substring(10);
> String password=null;
> principal = context.getRealm().authenticate(username, password);
> In the login method of PropertiesFileLoginModule as per the above usecase we
> will have
> realPassword as null and password as null as a result "if
> (!checkPassword(realPassword, password))"
> will be skipped and hence resulting in loginSucceeded=true.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
