RE: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm JDBCRealm.java JNDIRealm.java MemoryRealm.java
Hola Christopher: I think this change is not good, as it does *all* passwords case insensitive, regardles of the use of digest or not.., i think plain passwords need to be case sensitive .. Saludos , Ignacio J. Ortega -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Enviado el: viernes 7 de septiembre de 2001 20:52 Para: [EMAIL PROTECTED] Asunto: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm JDBCRealm.java JNDIRealm.java MemoryRealm.java ccain 01/09/07 11:51:36 Modified:catalina/src/share/org/apache/catalina/realm JDBCRealm.java JNDIRealm.java MemoryRealm.java Log: Change comparison of hex digests (in authentication) to be case-insensitive, as base16 values themselves are case-insensitive. Revision ChangesPath 1.18 +2 -2 jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/real m/JDBCRealm.java Index: JDBCRealm.java === RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/cat alina/realm/JDBCRealm.java,v retrieving revision 1.17 retrieving revision 1.18 diff -u -r1.17 -r1.18 --- JDBCRealm.java 2001/09/06 03:43:11 1.17 +++ JDBCRealm.java 2001/09/07 18:51:36 1.18 @@ -95,7 +95,7 @@ * @author Craig R. McClanahan * @author Carson McDonald * @author Ignacio Ortega -* @version $Revision: 1.17 $ $Date: 2001/09/06 03:43:11 $ +* @version $Revision: 1.18 $ $Date: 2001/09/07 18:51:36 $ */ public class JDBCRealm @@ -384,7 +384,7 @@ } // Validate the user's credentials -if (digest(credentials).equals(dbCredentials)) { +if (digest(credentials).equalsIgnoreCase(dbCredentials)) { if (debug = 2) log(sm.getString(jdbcRealm.authenticateSuccess, username)); 1.4 +2 -2 jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/real m/JNDIRealm.java Index: JNDIRealm.java === RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/cat alina/realm/JNDIRealm.java,v retrieving revision 1.3 retrieving revision 1.4 diff -u -r1.3 -r1.4 --- JNDIRealm.java 2001/09/06 03:43:11 1.3 +++ JNDIRealm.java 2001/09/07 18:51:36 1.4 @@ -144,7 +144,7 @@ * * @author John Holman * @author Craig R. McClanahan - * @version $Revision: 1.3 $ $Date: 2001/09/06 03:43:11 $ + * @version $Revision: 1.4 $ $Date: 2001/09/07 18:51:36 $ */ public class JNDIRealm extends RealmBase { @@ -750,7 +750,7 @@ // Validate the credentials specified by the user if (debug = 3) log( validating credentials); -if (digest(credentials).equals(valueString)) { +if (digest(credentials).equalsIgnoreCase(valueString)) { if (debug = 2) log(sm.getString(jndiRealm.authenticateSuccess, username)); 1.8 +5 -5 jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/real m/MemoryRealm.java Index: MemoryRealm.java === RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/cat alina/realm/MemoryRealm.java,v retrieving revision 1.7 retrieving revision 1.8 diff -u -r1.7 -r1.8 --- MemoryRealm.java2001/08/27 19:10:25 1.7 +++ MemoryRealm.java2001/09/07 18:51:36 1.8 @@ -1,7 +1,7 @@ /* - * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/cat alina/realm/MemoryRealm.java,v 1.7 2001/08/27 19:10:25 craigmcc Exp $ - * $Revision: 1.7 $ - * $Date: 2001/08/27 19:10:25 $ + * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/cat alina/realm/MemoryRealm.java,v 1.8 2001/09/07 18:51:36 ccain Exp $ + * $Revision: 1.8 $ + * $Date: 2001/09/07 18:51:36 $ * * * @@ -95,7 +95,7 @@ * synchronization is performed around accesses to the principals collection. * * @author Craig R. McClanahan - * @version $Revision: 1.7 $ $Date: 2001/08/27 19:10:25 $ + * @version $Revision: 1.8 $ $Date: 2001/09/07 18:51:36 $ */ public final class MemoryRealm @@ -205,7 +205,7 @@ GenericPrincipal principal = (GenericPrincipal) principals.get(username); if ((principal != null) - (digest(credentials).equals(principal.getPassword( { + (digest(credentials).equalsIgnoreCase(principal.getPassword( { if (debug = 2)
Re: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/ catalina/realm JDBCRealm.java JNDIRealm.java MemoryRealm.java
You're right ... d'oh! I assumed that a method called digest returned a digest. I guess I should not assume so often =) My bad ... but in some slight manor of defense, that method call is poorly named :) I'll repair this immediately. - Christopher Ignacio J. Ortega wrote: Hola Christopher: I think this change is not good, as it does *all* passwords case insensitive, regardles of the use of digest or not.., i think plain passwords need to be case sensitive .. Saludos , Ignacio J. Ortega -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Enviado el: viernes 7 de septiembre de 2001 20:52 Para: [EMAIL PROTECTED] Asunto: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm JDBCRealm.java JNDIRealm.java MemoryRealm.java ccain 01/09/07 11:51:36 Modified:catalina/src/share/org/apache/catalina/realm JDBCRealm.java JNDIRealm.java MemoryRealm.java Log: Change comparison of hex digests (in authentication) to be case-insensitive, as base16 values themselves are case-insensitive. Revision ChangesPath 1.18 +2 -2 jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/real m/JDBCRealm.java Index: JDBCRealm.java === RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/cat alina/realm/JDBCRealm.java,v retrieving revision 1.17 retrieving revision 1.18 diff -u -r1.17 -r1.18 --- JDBCRealm.java 2001/09/06 03:43:11 1.17 +++ JDBCRealm.java 2001/09/07 18:51:36 1.18 @@ -95,7 +95,7 @@ * @author Craig R. McClanahan * @author Carson McDonald * @author Ignacio Ortega -* @version $Revision: 1.17 $ $Date: 2001/09/06 03:43:11 $ +* @version $Revision: 1.18 $ $Date: 2001/09/07 18:51:36 $ */ public class JDBCRealm @@ -384,7 +384,7 @@ } // Validate the user's credentials -if (digest(credentials).equals(dbCredentials)) { +if (digest(credentials).equalsIgnoreCase(dbCredentials)) { if (debug = 2) log(sm.getString(jdbcRealm.authenticateSuccess, username)); 1.4 +2 -2 jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/real m/JNDIRealm.java Index: JNDIRealm.java === RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/cat alina/realm/JNDIRealm.java,v retrieving revision 1.3 retrieving revision 1.4 diff -u -r1.3 -r1.4 --- JNDIRealm.java 2001/09/06 03:43:11 1.3 +++ JNDIRealm.java 2001/09/07 18:51:36 1.4 @@ -144,7 +144,7 @@ * * @author John Holman * @author Craig R. McClanahan - * @version $Revision: 1.3 $ $Date: 2001/09/06 03:43:11 $ + * @version $Revision: 1.4 $ $Date: 2001/09/07 18:51:36 $ */ public class JNDIRealm extends RealmBase { @@ -750,7 +750,7 @@ // Validate the credentials specified by the user if (debug = 3) log( validating credentials); -if (digest(credentials).equals(valueString)) { +if (digest(credentials).equalsIgnoreCase(valueString)) { if (debug = 2) log(sm.getString(jndiRealm.authenticateSuccess, username)); 1.8 +5 -5 jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/real m/MemoryRealm.java Index: MemoryRealm.java === RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/cat alina/realm/MemoryRealm.java,v retrieving revision 1.7 retrieving revision 1.8 diff -u -r1.7 -r1.8 --- MemoryRealm.java2001/08/27 19:10:25 1.7 +++ MemoryRealm.java2001/09/07 18:51:36 1.8 @@ -1,7 +1,7 @@ /* - * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/cat alina/realm/MemoryRealm.java,v 1.7 2001/08/27 19:10:25 craigmcc Exp $ - * $Revision: 1.7 $ - * $Date: 2001/08/27 19:10:25 $ + * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/cat alina/realm/MemoryRealm.java,v 1.8 2001/09/07 18:51:36 ccain Exp $ + * $Revision: 1.8 $ + * $Date: 2001/09/07 18:51:36 $ * * * @@ -95,7 +95,7 @@ * synchronization is performed around accesses to the principals collection. * * @author Craig R. McClanahan - * @version $Revision: 1.7 $ $Date: 2001/08/27 19:10:25 $ + * @version $Revision: 1.8 $ $Date: 2001/09/07 18:51:36 $ */ public final class MemoryRealm @@ -205,7 +205,7 @@ GenericPrincipal principal = (GenericPrincipal) principals.get(username); if ((principal != null) - (digest(credentials).equals(principal.getPassword(
Re: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm JDBCRealm.java JNDIRealm.java MemoryRealm.java
Ignacio J. Ortega [EMAIL PROTECTED] wrote: Hola Christopher: I think this change is not good, as it does *all* passwords case insensitive, regardles of the use of digest or not.., i think plain passwords need to be case sensitive .. Good catch :) Pier
RE: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/ catalina/realm JDBCRealm.java JNDIRealm.java MemoryRealm.java
You're right ... d'oh! I assumed that a method called digest returned a digest. I guess I should not assume so often =) My bad ... but in some slight manor of defense, that method call is poorly named :) We can change it to a more apropiate digestedOrNot : Saludos , Ignacio J. Ortega
Re: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/ catalina/realm JDBCRealm.java JNDIRealm.java MemoryRealm.java
Close ... I added a hasMessageDigest() method =) Also, I just realized that I was in such a hurry to get fixed code back into the tree, I forgot to give you credit on the commit log. As Pier said, that was an excellent catch ... you pulled my kahones out of the fire on that one :) I promise not to choke like that again for at least another ... oh ... week or so ;-) - Christopher /** * Pleurez, pleurez, mes yeux, et fondez vous en eau! * La moitiƩ de ma vie a mis l'autre au tombeau. *---Corneille */ Ignacio J. Ortega wrote: You're right ... d'oh! I assumed that a method called digest returned a digest. I guess I should not assume so often =) My bad ... but in some slight manor of defense, that method call is poorly named :) We can change it to a more apropiate digestedOrNot : Saludos , Ignacio J. Ortega