[xfire-dev] [jira] Updated: (XFIRE-1034) CommonsHttpMessageSender doesn't reset AuthenticationPreemptive

Thu, 14 Jun 2007 01:38:47 -0700 

     [ 
http://jira.codehaus.org/browse/XFIRE-1034?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Tomasz Sztelak updated XFIRE-1034:
----------------------------------

         Assignee: Tomasz Sztelak  (was: Dan Diephouse)
    Fix Version/s: 1.2.7

> CommonsHttpMessageSender doesn't reset AuthenticationPreemptive
> ---------------------------------------------------------------
>
>                 Key: XFIRE-1034
>                 URL: http://jira.codehaus.org/browse/XFIRE-1034
>             Project: XFire
>          Issue Type: Bug
>          Components: Core
>            Reporter: Mike Wiesner
>            Assignee: Tomasz Sztelak
>             Fix For: 1.2.7
>
>
> In the open method of CommonsHttpMessageSender the private method 
> getCredentials is called if the Property Channel.USERNAME is set. In this 
> method the setAuthenticationPreemptive of the underlaying Commons Http Client 
> is set, and it als returns the Credentials for Commons Http Client.
> If for some reason, maybe user logged out, the username isn't set any more, 
> the setAuthenticationPreemptive and the credentials in the Commons Http 
> Client aren't reseted, and therefore it still makes Basic Authentication, 
> which is a seriously security bug.
> Here is the actual code:
> if (username != null)
>         {
>             client.getParams().setAuthenticationPreemptive(true);
>             String password = (String) 
> context.getContextualProperty(Channel.PASSWORD);
>             state.setCredentials(AuthScope.ANY,  getCredentials(username, 
> password));            
>         }
> To enforce the reset there should also be an else condition like that:
>      else
>         {
>              client.getParams().setAuthenticationPreemptive(false);
>              state.setCredentials(AuthScope.ANY,  null);
>         }
> By the way, the method getCredentials shouldn't be private, so that you can 
> subclass it and set your own Credentials instance rather then only setting 
> username and password as Strings

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe from this list please visit:

    http://xircles.codehaus.org/manage_email

Reply via email to