RE: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm JDBCRealm.java JNDIRealm.java MemoryRealm.java
Hola Christopher:
I think this change is not good, as it does *all* passwords case
insensitive, regardles of the use of digest or not.., i think plain
passwords need to be case sensitive ..
Saludos ,
Ignacio J. Ortega
-Mensaje original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Enviado el: viernes 7 de septiembre de 2001 20:52
Para: [EMAIL PROTECTED]
Asunto: cvs commit:
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm
JDBCRealm.java JNDIRealm.java MemoryRealm.java
ccain 01/09/07 11:51:36
Modified:catalina/src/share/org/apache/catalina/realm
JDBCRealm.java
JNDIRealm.java MemoryRealm.java
Log:
Change comparison of hex digests (in authentication) to be
case-insensitive, as base16 values themselves are case-insensitive.
Revision ChangesPath
1.18 +2 -2
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/real
m/JDBCRealm.java
Index: JDBCRealm.java
===
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/cat
alina/realm/JDBCRealm.java,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- JDBCRealm.java 2001/09/06 03:43:11 1.17
+++ JDBCRealm.java 2001/09/07 18:51:36 1.18
@@ -95,7 +95,7 @@
* @author Craig R. McClanahan
* @author Carson McDonald
* @author Ignacio Ortega
-* @version $Revision: 1.17 $ $Date: 2001/09/06 03:43:11 $
+* @version $Revision: 1.18 $ $Date: 2001/09/07 18:51:36 $
*/
public class JDBCRealm
@@ -384,7 +384,7 @@
}
// Validate the user's credentials
-if (digest(credentials).equals(dbCredentials)) {
+if (digest(credentials).equalsIgnoreCase(dbCredentials)) {
if (debug = 2)
log(sm.getString(jdbcRealm.authenticateSuccess,
username));
1.4 +2 -2
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/real
m/JNDIRealm.java
Index: JNDIRealm.java
===
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/cat
alina/realm/JNDIRealm.java,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- JNDIRealm.java 2001/09/06 03:43:11 1.3
+++ JNDIRealm.java 2001/09/07 18:51:36 1.4
@@ -144,7 +144,7 @@
*
* @author John Holman
* @author Craig R. McClanahan
- * @version $Revision: 1.3 $ $Date: 2001/09/06 03:43:11 $
+ * @version $Revision: 1.4 $ $Date: 2001/09/07 18:51:36 $
*/
public class JNDIRealm extends RealmBase {
@@ -750,7 +750,7 @@
// Validate the credentials specified by the user
if (debug = 3)
log( validating credentials);
-if (digest(credentials).equals(valueString)) {
+if (digest(credentials).equalsIgnoreCase(valueString)) {
if (debug = 2)
log(sm.getString(jndiRealm.authenticateSuccess,
username));
1.8 +5 -5
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/real
m/MemoryRealm.java
Index: MemoryRealm.java
===
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/cat
alina/realm/MemoryRealm.java,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- MemoryRealm.java2001/08/27 19:10:25 1.7
+++ MemoryRealm.java2001/09/07 18:51:36 1.8
@@ -1,7 +1,7 @@
/*
- * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/cat
alina/realm/MemoryRealm.java,v 1.7 2001/08/27 19:10:25 craigmcc Exp $
- * $Revision: 1.7 $
- * $Date: 2001/08/27 19:10:25 $
+ * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/cat
alina/realm/MemoryRealm.java,v 1.8 2001/09/07 18:51:36 ccain Exp $
+ * $Revision: 1.8 $
+ * $Date: 2001/09/07 18:51:36 $
*
*
*
@@ -95,7 +95,7 @@
* synchronization is performed around accesses to the
principals collection.
*
* @author Craig R. McClanahan
- * @version $Revision: 1.7 $ $Date: 2001/08/27 19:10:25 $
+ * @version $Revision: 1.8 $ $Date: 2001/09/07 18:51:36 $
*/
public final class MemoryRealm
@@ -205,7 +205,7 @@
GenericPrincipal principal =
(GenericPrincipal) principals.get(username);
if ((principal != null)
-
(digest(credentials).equals(principal.getPassword( {
+
(digest(credentials).equalsIgnoreCase(principal.getPassword( {
if (debug = 2)
Re: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/ catalina/realm JDBCRealm.java JNDIRealm.java MemoryRealm.java
You're right ... d'oh! I assumed that a method called digest returned
a digest. I guess I should not assume so often =)
My bad ... but in some slight manor of defense, that method call is
poorly named :)
I'll repair this immediately.
- Christopher
Ignacio J. Ortega wrote:
Hola Christopher:
I think this change is not good, as it does *all* passwords case
insensitive, regardles of the use of digest or not.., i think plain
passwords need to be case sensitive ..
Saludos ,
Ignacio J. Ortega
-Mensaje original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Enviado el: viernes 7 de septiembre de 2001 20:52
Para: [EMAIL PROTECTED]
Asunto: cvs commit:
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm
JDBCRealm.java JNDIRealm.java MemoryRealm.java
ccain 01/09/07 11:51:36
Modified:catalina/src/share/org/apache/catalina/realm
JDBCRealm.java
JNDIRealm.java MemoryRealm.java
Log:
Change comparison of hex digests (in authentication) to be
case-insensitive, as base16 values themselves are case-insensitive.
Revision ChangesPath
1.18 +2 -2
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/real
m/JDBCRealm.java
Index: JDBCRealm.java
===
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/cat
alina/realm/JDBCRealm.java,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- JDBCRealm.java 2001/09/06 03:43:11 1.17
+++ JDBCRealm.java 2001/09/07 18:51:36 1.18
@@ -95,7 +95,7 @@
* @author Craig R. McClanahan
* @author Carson McDonald
* @author Ignacio Ortega
-* @version $Revision: 1.17 $ $Date: 2001/09/06 03:43:11 $
+* @version $Revision: 1.18 $ $Date: 2001/09/07 18:51:36 $
*/
public class JDBCRealm
@@ -384,7 +384,7 @@
}
// Validate the user's credentials
-if (digest(credentials).equals(dbCredentials)) {
+if (digest(credentials).equalsIgnoreCase(dbCredentials)) {
if (debug = 2)
log(sm.getString(jdbcRealm.authenticateSuccess,
username));
1.4 +2 -2
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/real
m/JNDIRealm.java
Index: JNDIRealm.java
===
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/cat
alina/realm/JNDIRealm.java,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- JNDIRealm.java 2001/09/06 03:43:11 1.3
+++ JNDIRealm.java 2001/09/07 18:51:36 1.4
@@ -144,7 +144,7 @@
*
* @author John Holman
* @author Craig R. McClanahan
- * @version $Revision: 1.3 $ $Date: 2001/09/06 03:43:11 $
+ * @version $Revision: 1.4 $ $Date: 2001/09/07 18:51:36 $
*/
public class JNDIRealm extends RealmBase {
@@ -750,7 +750,7 @@
// Validate the credentials specified by the user
if (debug = 3)
log( validating credentials);
-if (digest(credentials).equals(valueString)) {
+if (digest(credentials).equalsIgnoreCase(valueString)) {
if (debug = 2)
log(sm.getString(jndiRealm.authenticateSuccess,
username));
1.8 +5 -5
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/real
m/MemoryRealm.java
Index: MemoryRealm.java
===
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/cat
alina/realm/MemoryRealm.java,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- MemoryRealm.java2001/08/27 19:10:25 1.7
+++ MemoryRealm.java2001/09/07 18:51:36 1.8
@@ -1,7 +1,7 @@
/*
- * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/cat
alina/realm/MemoryRealm.java,v 1.7 2001/08/27 19:10:25 craigmcc Exp $
- * $Revision: 1.7 $
- * $Date: 2001/08/27 19:10:25 $
+ * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/cat
alina/realm/MemoryRealm.java,v 1.8 2001/09/07 18:51:36 ccain Exp $
+ * $Revision: 1.8 $
+ * $Date: 2001/09/07 18:51:36 $
*
*
*
@@ -95,7 +95,7 @@
* synchronization is performed around accesses to the
principals collection.
*
* @author Craig R. McClanahan
- * @version $Revision: 1.7 $ $Date: 2001/08/27 19:10:25 $
+ * @version $Revision: 1.8 $ $Date: 2001/09/07 18:51:36 $
*/
public final class MemoryRealm
@@ -205,7 +205,7 @@
GenericPrincipal principal =
(GenericPrincipal) principals.get(username);
if ((principal != null)
-
(digest(credentials).equals(principal.getPassword(
Re: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm JDBCRealm.java JNDIRealm.java MemoryRealm.java
Ignacio J. Ortega [EMAIL PROTECTED] wrote: Hola Christopher: I think this change is not good, as it does *all* passwords case insensitive, regardles of the use of digest or not.., i think plain passwords need to be case sensitive .. Good catch :) Pier
RE: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/ catalina/realm JDBCRealm.java JNDIRealm.java MemoryRealm.java
You're right ... d'oh! I assumed that a method called digest returned a digest. I guess I should not assume so often =) My bad ... but in some slight manor of defense, that method call is poorly named :) We can change it to a more apropiate digestedOrNot : Saludos , Ignacio J. Ortega
Re: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/ catalina/realm JDBCRealm.java JNDIRealm.java MemoryRealm.java
Close ... I added a hasMessageDigest() method =) Also, I just realized that I was in such a hurry to get fixed code back into the tree, I forgot to give you credit on the commit log. As Pier said, that was an excellent catch ... you pulled my kahones out of the fire on that one :) I promise not to choke like that again for at least another ... oh ... week or so ;-) - Christopher /** * Pleurez, pleurez, mes yeux, et fondez vous en eau! * La moitiƩ de ma vie a mis l'autre au tombeau. *---Corneille */ Ignacio J. Ortega wrote: You're right ... d'oh! I assumed that a method called digest returned a digest. I guess I should not assume so often =) My bad ... but in some slight manor of defense, that method call is poorly named :) We can change it to a more apropiate digestedOrNot : Saludos , Ignacio J. Ortega
