[ https://issues.apache.org/jira/browse/GERONIMO-4983?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12830973#action_12830973 ]
Donald Woods commented on GERONIMO-4983: ---------------------------------------- Patch applied to 2.1.5-SNAPSHOT, 2.2.1-SNAPSHOT and 3.0-SNAPSHOT using GERONIMO-5132. > In debug mode Properties file login module reurns loginsucceeded as true for > non existent users and null password > ----------------------------------------------------------------------------------------------------------------- > > Key: GERONIMO-4983 > URL: https://issues.apache.org/jira/browse/GERONIMO-4983 > Project: Geronimo > Issue Type: Bug > Security Level: public(Regular issues) > Affects Versions: 2.1.4, 2.2 > Environment: windows Xp, eclipse > Reporter: Ashish Jain > Assignee: Ashish Jain > Fix For: 2.1.5, 2.2.1 > > Attachments: GERONIMO-4983.patch > > > While debugging one of the login fallback code I see that > PropertiesFileLoginModule.java returns loginsucceeded as true for a > non-existent user and null password. > This happens under the following use case. > In the BasicAuthenticator Code I have the following > String username=header.substring(10); > String password=null; > principal = context.getRealm().authenticate(username, password); > In the login method of PropertiesFileLoginModule as per the above usecase we > will have > realPassword as null and password as null as a result "if > (!checkPassword(realPassword, password))" > will be skipped and hence resulting in loginSucceeded=true. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.