CommonsHttpMessageSender doesn't reset AuthenticationPreemptive
---------------------------------------------------------------
Key: XFIRE-1034
URL: http://jira.codehaus.org/browse/XFIRE-1034
Project: XFire
Issue Type: Bug
Components: Core
Reporter: Mike Wiesner
Assignee: Dan Diephouse
In the open method of CommonsHttpMessageSender the private method
getCredentials is called if the Property Channel.USERNAME is set. In this
method the setAuthenticationPreemptive of the underlaying Commons Http Client
is set, and it als returns the Credentials for Commons Http Client.
If for some reason, maybe user logged out, the username isn't set any more, the
setAuthenticationPreemptive and the credentials in the Commons Http Client
aren't reseted, and therefore it still makes Basic Authentication, which is a
seriously security bug.
Here is the actual code:
if (username != null)
{
client.getParams().setAuthenticationPreemptive(true);
String password = (String)
context.getContextualProperty(Channel.PASSWORD);
state.setCredentials(AuthScope.ANY, getCredentials(username,
password));
}
To enforce the reset there should also be an else condition like that:
else
{
client.getParams().setAuthenticationPreemptive(false);
state.setCredentials(AuthScope.ANY, null);
}
By the way, the method getCredentials shouldn't be private, so that you can
subclass it and set your own Credentials instance rather then only setting
username and password as Strings
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe from this list please visit:
http://xircles.codehaus.org/manage_email
