Author: schultz
Date: Mon Oct 5 04:15:24 2015
New Revision: 1706745
URL: http://svn.apache.org/viewvc?rev=1706745&view=rev
Log:
Perform null-checking on input and stored credentials before passing them off
to CredentialHandlers for matching.
Modified:
tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java
tomcat/trunk/java/org/apache/catalina/realm/MemoryRealm.java
tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java
Modified: tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java?rev=1706745&r1=1706744&r2=1706745&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java (original)
+++ tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java Mon Oct 5
04:15:24 2015
@@ -386,6 +386,13 @@ public class JDBCRealm
// Look up the user's credentials
String dbCredentials = getPassword(username);
+ if (credentials == null || dbCredentials == null) {
+ if (containerLog.isTraceEnabled())
+
containerLog.trace(sm.getString("jdbcRealm.authenticateFailure",
+ username));
+ return null;
+ }
+
// Validate the user's credentials
boolean validated = getCredentialHandler().matches(credentials,
dbCredentials);
Modified: tomcat/trunk/java/org/apache/catalina/realm/MemoryRealm.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/MemoryRealm.java?rev=1706745&r1=1706744&r2=1706745&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/realm/MemoryRealm.java (original)
+++ tomcat/trunk/java/org/apache/catalina/realm/MemoryRealm.java Mon Oct 5
04:15:24 2015
@@ -119,6 +119,11 @@ public class MemoryRealm extends RealmB
if (principal == null) {
validated = false;
} else {
+ if (credentials == null || principal.getPassword() == null) {
+ if (log.isDebugEnabled())
+ log.debug(sm.getString("memoryRealm.authenticateFailure",
username));
+ return (null);
+ }
validated = getCredentialHandler().matches(credentials,
principal.getPassword());
}
Modified: tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java?rev=1706745&r1=1706744&r2=1706745&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java (original)
+++ tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java Mon Oct 5
04:15:24 2015
@@ -305,6 +305,14 @@ public abstract class RealmBase extends
String serverCredentials = getPassword(username);
+ if (credentials == null || serverCredentials == null) {
+ if (containerLog.isTraceEnabled()) {
+
containerLog.trace(sm.getString("realmBase.authenticateFailure",
+ username));
+ }
+ return null;
+ }
+
boolean validated = getCredentialHandler().matches(credentials,
serverCredentials);
if (!validated) {
if (containerLog.isTraceEnabled()) {
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
