[ https://issues.apache.org/jira/browse/JCR-2489?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Nicholas Stuart updated JCR-2489: --------------------------------- Status: Patch Available (was: Open) Index: src/main/java/org/apache/jackrabbit/core/security/authentication/CryptedSimpleCredentials.java =================================================================== --- src/main/java/org/apache/jackrabbit/core/security/authentication/CryptedSimpleCredentials.java (revision 907000) +++ src/main/java/org/apache/jackrabbit/core/security/authentication/CryptedSimpleCredentials.java (working copy) @@ -126,7 +126,7 @@ public boolean matches(SimpleCredentials credentials) throws NoSuchAlgorithmException, UnsupportedEncodingException { - if (getUserID().matches(credentials.getUserID())) { + if (getUserID().equals(credentials.getUserID())) { String toMatch = new String(credentials.getPassword()); String algr = getAlgorithm(toMatch); > CryptedSimpleCredentials uses .matches on userid for equality test > ------------------------------------------------------------------ > > Key: JCR-2489 > URL: https://issues.apache.org/jira/browse/JCR-2489 > Project: Jackrabbit Content Repository > Issue Type: Bug > Components: jackrabbit-core > Affects Versions: 1.5.7 > Reporter: Nicholas Stuart > > CryptedSimpleCredentials use getUserId().matches(cred.getUserId()) to match > the userID values, but this uses a regex so it's kind of dangerous to have > this here, and actually fails if say, the username has a + in it. > Is there a reason why .equals() is not used? -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.