[jira] [Comment Edited] (QPID-7378) [Java Broker] Handle non-ASCII characters in AuthenticationProviders

Tue, 30 Aug 2016 07:15:12 -0700 

    [ 
https://issues.apache.org/jira/browse/QPID-7378?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15449121#comment-15449121
 ] 

Lorenz Quack edited comment on QPID-7378 at 8/30/16 2:13 PM:
-------------------------------------------------------------

I updated title and description to only talk about AuthenticationProvider


was (Author: lorenz.quack):
I updated title and description to only talk about AuthentiactionProvider

> [Java Broker] Handle non-ASCII characters in AuthenticationProviders
> --------------------------------------------------------------------
>
>                 Key: QPID-7378
>                 URL: https://issues.apache.org/jira/browse/QPID-7378
>             Project: Qpid
>          Issue Type: Bug
>          Components: Java Broker
>    Affects Versions: qpid-java-6.0, qpid-java-6.1, qpid-java-6.0.5
>            Reporter: Lorenz Quack
>             Fix For: Future
>
>
> Currently, AuthenticationProviders (at least SCRAM and MD5 but probably 
> others as well) do not handle non-ASCII characters correctly (either they 
> reject them or they choke on them). 
> For example, when passing "æ" to the MD5 AuthenticationProvider I get this 
> stacktrace in the log:
> {code}
> 2016-08-04 11:16:26,845 ERROR [HttpManagement-x-132] 
> (o.a.q.s.m.p.f.ExceptionHandlingFilter) - Unexpected exception in servlet 
> '/service/sasl': 
> java.lang.ArrayIndexOutOfBoundsException: 230
>         at 
> javax.xml.bind.DatatypeConverterImpl.guessLength(DatatypeConverterImpl.java:659)
>  ~[na:1.8.0_101]
>         at 
> javax.xml.bind.DatatypeConverterImpl._parseBase64Binary(DatatypeConverterImpl.java:692)
>  ~[na:1.8.0_101]
>         at 
> javax.xml.bind.DatatypeConverterImpl.parseBase64Binary(DatatypeConverterImpl.java:434)
>  ~[na:1.8.0_101]
>         at 
> javax.xml.bind.DatatypeConverter.parseBase64Binary(DatatypeConverter.java:342)
>  ~[na:1.8.0_101]
>         at 
> org.apache.qpid.server.security.auth.manager.MD5AuthenticationProvider$MD5Callbackhandler.handle(MD5AuthenticationProvider.java:182)
>  ~[classes/:na]
>         at 
> com.sun.security.sasl.CramMD5Server.evaluateResponse(CramMD5Server.java:167) 
> ~[na:1.8.0_101]
>         at 
> org.apache.qpid.server.security.auth.sasl.crammd5.CRAMMD5HashedSaslServer.evaluateResponse(CRAMMD5HashedSaslServer.java:75)
>  ~[classes/:na]
>         at 
> org.apache.qpid.server.security.auth.manager.ConfigModelPasswordManagingAuthenticationProvider.authenticate(ConfigModelPasswordManagingAuthenticationProvider.java:208)
>  ~[classes/:na]
>         at 
> org.apache.qpid.server.security.SubjectCreator.authenticate(SubjectCreator.java:115)
>  ~[classes/:na]
>         at 
> org.apache.qpid.server.management.plugin.servlet.rest.SaslServlet.evaluateSaslResponse(SaslServlet.java:212)
>  ~[classes/:na]
>         at 
> org.apache.qpid.server.management.plugin.servlet.rest.SaslServlet.doPostWithSubjectAndActor(SaslServlet.java:156)
>  ~[classes/:na]
>         at 
> org.apache.qpid.server.management.plugin.servlet.rest.AbstractServlet$2.run(AbstractServlet.java:117)
>  ~[classes/:na]
>         at 
> org.apache.qpid.server.management.plugin.servlet.rest.AbstractServlet$2.run(AbstractServlet.java:113)
>  ~[classes/:na]
>         at java.security.AccessController.doPrivileged(Native Method) 
> ~[na:1.8.0_101]
>         at javax.security.auth.Subject.doAs(Subject.java:422) ~[na:1.8.0_101]
>         at 
> org.apache.qpid.server.management.plugin.servlet.rest.AbstractServlet.doWithSubjectAndActor(AbstractServlet.java:214)
>  ~[classes/:na]
>         at 
> org.apache.qpid.server.management.plugin.servlet.rest.AbstractServlet.doPost(AbstractServlet.java:111)
>  ~[classes/:na]
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:595) 
> ~[geronimo-servlet_3.0_spec-1.0.jar:1.0]
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:668) 
> ~[geronimo-servlet_3.0_spec-1.0.jar:1.0]
>         at 
> org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:684) 
> ~[jetty-servlet-8.1.17.v20150415.jar:8.1.17.v20150415]
>         at 
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1496)
>  [jetty-servlet-8.1.17.v20150415.jar:8.1.17.v20150415]
>         at 
> org.apache.qpid.server.management.plugin.filter.ForbiddingAuthorisationFilter.doFilter(ForbiddingAuthorisationFilter.java:94)
>  ~[classes/:na]
>         at 
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467)
>  [jetty-servlet-8.1.17.v20150415.jar:8.1.17.v20150415]
>         at 
> org.apache.qpid.server.management.plugin.filter.ForbiddingTraceFilter.doFilter(ForbiddingTraceFilter.java:65)
>  ~[classes/:na]
>         at 
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467)
>  [jetty-servlet-8.1.17.v20150415.jar:8.1.17.v20150415]
>         at 
> org.apache.qpid.server.management.plugin.filter.LoggingFilter.doFilter(LoggingFilter.java:70)
>  ~[classes/:na]
>         at 
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467)
>  [jetty-servlet-8.1.17.v20150415.jar:8.1.17.v20150415]
>         at 
> org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:247)
>  ~[jetty-servlets-8.1.17.v20150415.jar:8.1.17.v20150415]
>         at 
> org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:210)
>  ~[jetty-servlets-8.1.17.v20150415.jar:8.1.17.v20150415]
>         at 
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467)
>  [jetty-servlet-8.1.17.v20150415.jar:8.1.17.v20150415]
>         at 
> org.apache.qpid.server.management.plugin.filter.ExceptionHandlingFilter.doFilter(ExceptionHandlingFilter.java:56)
>  ~[classes/:na]
>         at 
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467)
>  [jetty-servlet-8.1.17.v20150415.jar:8.1.17.v20150415]
>         at 
> org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:501) 
> [jetty-servlet-8.1.17.v20150415.jar:8.1.17.v20150415]
>         at 
> org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:229)
>  [jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
>         at 
> org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
>  [jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
>         at 
> org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:429) 
> [jetty-servlet-8.1.17.v20150415.jar:8.1.17.v20150415]
>         at 
> org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
>  [jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
>         at 
> org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
>  [jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
>         at 
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135) 
> [jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
>         at 
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
>  [jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
>         at org.eclipse.jetty.server.Server.handle(Server.java:370) 
> [jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
>         at 
> org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:494)
>  [jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
>         at 
> org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:982)
>  [jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
>         at 
> org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:1043)
>  [jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
>         at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:865) 
> [jetty-http-8.1.17.v20150415.jar:8.1.17.v20150415]
>         at 
> org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:240) 
> [jetty-http-8.1.17.v20150415.jar:8.1.17.v20150415]
>         at 
> org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
>  [jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415]
>         at 
> org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696)
>  [jetty-io-8.1.17.v20150415.jar:8.1.17.v20150415]
>         at 
> org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53)
>  [jetty-io-8.1.17.v20150415.jar:8.1.17.v20150415]
>         at 
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
>  [jetty-util-8.1.17.v20150415.jar:8.1.17.v20150415]
>         at 
> org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
>  [jetty-util-8.1.17.v20150415.jar:8.1.17.v20150415]
>         at java.lang.Thread.run(Thread.java:745) [na:1.8.0_101]
> {code}
> I think we should accept Unicode characters for usernames and passwords.
> As a minimum we should reject them more cleanly.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org

Reply via email to