Re: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/ catalina/realm JDBCRealm.java JNDIRealm.java MemoryRealm.java
Close ... I added a hasMessageDigest() method =) Also, I just realized that I was in such a hurry to get fixed code back into the tree, I forgot to give you credit on the commit log. As Pier said, that was an excellent catch ... you pulled my kahones out of the fire on that one :) I promise not to choke like that again for at least another ... oh ... week or so ;-) - Christopher /** * Pleurez, pleurez, mes yeux, et fondez vous en eau! * La moitiƩ de ma vie a mis l'autre au tombeau. *---Corneille */ Ignacio J. Ortega wrote: >>You're right ... d'oh! I assumed that a method called >>"digest" returned >>a digest. I guess I should not assume so often =) >> >>My bad ... but in some slight manor of defense, that method call is >>poorly named :) >> >> > > We can change it to a more apropiate "digestedOrNot" > > : > > Saludos , > Ignacio J. Ortega
cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm JDBCRealm.java JNDIRealm.java MemoryRealm.java RealmBase.java
ccain 01/09/07 13:45:13 Modified:catalina/src/share/org/apache/catalina/realm JDBCRealm.java JNDIRealm.java MemoryRealm.java RealmBase.java Log: Backs out the previous case-insensitive mod, which would have checked non-hashed realm passwords case-insensitive as well. This correctly returns non-hashed realm passwords to case-sensitive comparison, while leaving hex comparisons insensitive. Now I'm going to go write 'I will always follow code paths through to their conclusion before committing' 100 times on the blackboard, then it's straight to bed with no desert. =) Revision ChangesPath 1.19 +9 -2 jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/JDBCRealm.java Index: JDBCRealm.java === RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/JDBCRealm.java,v retrieving revision 1.18 retrieving revision 1.19 diff -u -r1.18 -r1.19 --- JDBCRealm.java2001/09/07 18:51:36 1.18 +++ JDBCRealm.java2001/09/07 20:45:12 1.19 @@ -95,7 +95,7 @@ * @author Craig R. McClanahan * @author Carson McDonald * @author Ignacio Ortega -* @version $Revision: 1.18 $ $Date: 2001/09/07 18:51:36 $ +* @version $Revision: 1.19 $ $Date: 2001/09/07 20:45:12 $ */ public class JDBCRealm @@ -384,7 +384,14 @@ } // Validate the user's credentials -if (digest(credentials).equalsIgnoreCase(dbCredentials)) { +boolean validated = false; +if (hasMessageDigest()) { +// Hex hashes should be compared case-insensitive +validated = (digest(credentials).equalsIgnoreCase(dbCredentials)); +} else +validated = (digest(credentials).equals(dbCredentials)); + +if (validated) { if (debug >= 2) log(sm.getString("jdbcRealm.authenticateSuccess", username)); 1.5 +10 -2 jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/JNDIRealm.java Index: JNDIRealm.java === RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/JNDIRealm.java,v retrieving revision 1.4 retrieving revision 1.5 diff -u -r1.4 -r1.5 --- JNDIRealm.java2001/09/07 18:51:36 1.4 +++ JNDIRealm.java2001/09/07 20:45:12 1.5 @@ -144,7 +144,7 @@ * * @author John Holman * @author Craig R. McClanahan - * @version $Revision: 1.4 $ $Date: 2001/09/07 18:51:36 $ + * @version $Revision: 1.5 $ $Date: 2001/09/07 20:45:12 $ */ public class JNDIRealm extends RealmBase { @@ -750,7 +750,15 @@ // Validate the credentials specified by the user if (debug >= 3) log(" validating credentials"); -if (digest(credentials).equalsIgnoreCase(valueString)) { + +boolean validated = false; +if (hasMessageDigest()) { +// Hex hashes should be compared case-insensitive +validated = (digest(credentials).equalsIgnoreCase(valueString)); +} else +validated = (digest(credentials).equals(valueString)); + +if (validated) { if (debug >= 2) log(sm.getString("jndiRealm.authenticateSuccess", username)); 1.9 +13 -6 jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/MemoryRealm.java Index: MemoryRealm.java === RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/MemoryRealm.java,v retrieving revision 1.8 retrieving revision 1.9 diff -u -r1.8 -r1.9 --- MemoryRealm.java 2001/09/07 18:51:36 1.8 +++ MemoryRealm.java 2001/09/07 20:45:12 1.9 @@ -1,7 +1,7 @@ /* - * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/MemoryRealm.java,v 1.8 2001/09/07 18:51:36 ccain Exp $ - * $Revision: 1.8 $ - * $Date: 2001/09/07 18:51:36 $ + * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/MemoryRealm.java,v 1.9 2001/09/07 20:45:12 ccain Exp $ + * $Revision: 1.9 $ + * $Date: 2001/09/07 20:45:12 $ * * * @@ -95,7 +95,7 @@ * synchronization is performed around accesses to the principals collection. * * @author Craig R. McClanahan - * @version $Revision: 1.8 $ $Date: 2001/09/07 18:51:36 $ + * @version $Revision: 1.9 $ $Date: 2001/09/07 20:45:12 $ */ public final class MemoryRealm @@ -204,8 +204,15 @@ GenericPrincipal principal = (GenericPrincipal) principals.get(username); -
RE: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/ catalina/realm JDBCRealm.java JNDIRealm.java MemoryRealm.java
> > You're right ... d'oh! I assumed that a method called > "digest" returned > a digest. I guess I should not assume so often =) > > My bad ... but in some slight manor of defense, that method call is > poorly named :) > We can change it to a more apropiate "digestedOrNot" : Saludos , Ignacio J. Ortega
Re: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm JDBCRealm.java JNDIRealm.java MemoryRealm.java
"Ignacio J. Ortega" <[EMAIL PROTECTED]> wrote: > Hola Christopher: > > I think this change is not good, as it does *all* passwords case > insensitive, regardles of the use of digest or not.., i think plain > passwords need to be case sensitive .. Good catch :) Pier
Re: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/ catalina/realm JDBCRealm.java JNDIRealm.java MemoryRealm.java
You're right ... d'oh! I assumed that a method called "digest" returned a digest. I guess I should not assume so often =) My bad ... but in some slight manor of defense, that method call is poorly named :) I'll repair this immediately. - Christopher Ignacio J. Ortega wrote: > Hola Christopher: > > I think this change is not good, as it does *all* passwords case > insensitive, regardles of the use of digest or not.., i think plain > passwords need to be case sensitive .. > > > Saludos , > Ignacio J. Ortega > > > >>-Mensaje original- >>De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] >>Enviado el: viernes 7 de septiembre de 2001 20:52 >>Para: [EMAIL PROTECTED] >>Asunto: cvs commit: >>jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm >>JDBCRealm.java JNDIRealm.java MemoryRealm.java >> >> >>ccain 01/09/07 11:51:36 >> >> Modified:catalina/src/share/org/apache/catalina/realm >>JDBCRealm.java >>JNDIRealm.java MemoryRealm.java >> Log: >> Change comparison of hex digests (in authentication) to be >> case-insensitive, as base16 values themselves are case-insensitive. >> >> Revision ChangesPath >> 1.18 +2 -2 >>jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/real >>m/JDBCRealm.java >> >> Index: JDBCRealm.java >> === >> RCS file: >>/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/cat >>alina/realm/JDBCRealm.java,v >> retrieving revision 1.17 >> retrieving revision 1.18 >> diff -u -r1.17 -r1.18 >> --- JDBCRealm.java 2001/09/06 03:43:11 1.17 >> +++ JDBCRealm.java 2001/09/07 18:51:36 1.18 >> @@ -95,7 +95,7 @@ >> * @author Craig R. McClanahan >> * @author Carson McDonald >> * @author Ignacio Ortega >> -* @version $Revision: 1.17 $ $Date: 2001/09/06 03:43:11 $ >> +* @version $Revision: 1.18 $ $Date: 2001/09/07 18:51:36 $ >> */ >> >> public class JDBCRealm >> @@ -384,7 +384,7 @@ >> } >> >> // Validate the user's credentials >> -if (digest(credentials).equals(dbCredentials)) { >> +if (digest(credentials).equalsIgnoreCase(dbCredentials)) { >> if (debug >= 2) >> log(sm.getString("jdbcRealm.authenticateSuccess", >>username)); >> >> >> >> 1.4 +2 -2 >>jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/real >>m/JNDIRealm.java >> >> Index: JNDIRealm.java >> === >> RCS file: >>/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/cat >>alina/realm/JNDIRealm.java,v >> retrieving revision 1.3 >> retrieving revision 1.4 >> diff -u -r1.3 -r1.4 >> --- JNDIRealm.java 2001/09/06 03:43:11 1.3 >> +++ JNDIRealm.java 2001/09/07 18:51:36 1.4 >> @@ -144,7 +144,7 @@ >>* >>* @author John Holman >>* @author Craig R. McClanahan >> - * @version $Revision: 1.3 $ $Date: 2001/09/06 03:43:11 $ >> + * @version $Revision: 1.4 $ $Date: 2001/09/07 18:51:36 $ >>*/ >> >> public class JNDIRealm extends RealmBase { >> @@ -750,7 +750,7 @@ >> // Validate the credentials specified by the user >> if (debug >= 3) >> log(" validating credentials"); >> -if (digest(credentials).equals(valueString)) { >> +if (digest(credentials).equalsIgnoreCase(valueString)) { >> if (debug >= 2) >> log(sm.getString("jndiRealm.authenticateSuccess", >>username)); >> >> >> >> 1.8 +5 -5 >>jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/real >>m/MemoryRealm.java >> >> Index: MemoryRealm.java >> === >> RCS file: >>/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/cat >>alina/realm/MemoryRealm.java,v >> retrieving revision 1.7 >> retrieving revision 1.8 >> diff -u -r1.7 -r1.8 >> --- MemoryRealm.java2001/08/27 19:10:25 1.7 >> +++ MemoryRealm.java2001/09/07 18:51:36 1.8 >> @@ -1,7 +1,7 @@ >> /* >> - * $Header: >>/home/cvs/jakarta-tomcat-4.0/catali
RE: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm JDBCRealm.java JNDIRealm.java MemoryRealm.java
Hola Christopher: I think this change is not good, as it does *all* passwords case insensitive, regardles of the use of digest or not.., i think plain passwords need to be case sensitive .. Saludos , Ignacio J. Ortega > -Mensaje original- > De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Enviado el: viernes 7 de septiembre de 2001 20:52 > Para: [EMAIL PROTECTED] > Asunto: cvs commit: > jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm > JDBCRealm.java JNDIRealm.java MemoryRealm.java > > > ccain 01/09/07 11:51:36 > > Modified:catalina/src/share/org/apache/catalina/realm > JDBCRealm.java > JNDIRealm.java MemoryRealm.java > Log: > Change comparison of hex digests (in authentication) to be > case-insensitive, as base16 values themselves are case-insensitive. > > Revision ChangesPath > 1.18 +2 -2 > jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/real > m/JDBCRealm.java > > Index: JDBCRealm.java > === > RCS file: > /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/cat > alina/realm/JDBCRealm.java,v > retrieving revision 1.17 > retrieving revision 1.18 > diff -u -r1.17 -r1.18 > --- JDBCRealm.java 2001/09/06 03:43:11 1.17 > +++ JDBCRealm.java 2001/09/07 18:51:36 1.18 > @@ -95,7 +95,7 @@ >* @author Craig R. McClanahan >* @author Carson McDonald >* @author Ignacio Ortega > -* @version $Revision: 1.17 $ $Date: 2001/09/06 03:43:11 $ > +* @version $Revision: 1.18 $ $Date: 2001/09/07 18:51:36 $ >*/ > >public class JDBCRealm > @@ -384,7 +384,7 @@ >} > >// Validate the user's credentials > -if (digest(credentials).equals(dbCredentials)) { > +if (digest(credentials).equalsIgnoreCase(dbCredentials)) { >if (debug >= 2) >log(sm.getString("jdbcRealm.authenticateSuccess", > username)); > > > > 1.4 +2 -2 > jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/real > m/JNDIRealm.java > > Index: JNDIRealm.java > === > RCS file: > /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/cat > alina/realm/JNDIRealm.java,v > retrieving revision 1.3 > retrieving revision 1.4 > diff -u -r1.3 -r1.4 > --- JNDIRealm.java 2001/09/06 03:43:11 1.3 > +++ JNDIRealm.java 2001/09/07 18:51:36 1.4 > @@ -144,7 +144,7 @@ > * > * @author John Holman > * @author Craig R. McClanahan > - * @version $Revision: 1.3 $ $Date: 2001/09/06 03:43:11 $ > + * @version $Revision: 1.4 $ $Date: 2001/09/07 18:51:36 $ > */ > >public class JNDIRealm extends RealmBase { > @@ -750,7 +750,7 @@ >// Validate the credentials specified by the user >if (debug >= 3) >log(" validating credentials"); > -if (digest(credentials).equals(valueString)) { > +if (digest(credentials).equalsIgnoreCase(valueString)) { >if (debug >= 2) >log(sm.getString("jndiRealm.authenticateSuccess", > username)); > > > > 1.8 +5 -5 > jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/real > m/MemoryRealm.java > > Index: MemoryRealm.java > === > RCS file: > /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/cat > alina/realm/MemoryRealm.java,v > retrieving revision 1.7 > retrieving revision 1.8 > diff -u -r1.7 -r1.8 > --- MemoryRealm.java2001/08/27 19:10:25 1.7 > +++ MemoryRealm.java2001/09/07 18:51:36 1.8 > @@ -1,7 +1,7 @@ >/* > - * $Header: > /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/cat > alina/realm/MemoryRealm.java,v 1.7 2001/08/27 19:10:25 craigmcc Exp $ > - * $Revision: 1.7 $ > - * $Date: 2001/08/27 19:10:25 $ > + * $Header: > /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/cat > alina/realm/MemoryRealm.java,v 1.8 2001/09/07 18:51:36 ccain Exp $ > + * $Revision: 1.8 $ > + * $Date: 2001/09/07 18:51:36 $ > * > * > > * > @@ -95,7 +95,7 @@ > * synchronization is performed around accesses to the > principals collection. > * > * @author Craig R. McClanaha
cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm JDBCRealm.java JNDIRealm.java MemoryRealm.java
ccain 01/09/07 11:51:36 Modified:catalina/src/share/org/apache/catalina/realm JDBCRealm.java JNDIRealm.java MemoryRealm.java Log: Change comparison of hex digests (in authentication) to be case-insensitive, as base16 values themselves are case-insensitive. Revision ChangesPath 1.18 +2 -2 jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/JDBCRealm.java Index: JDBCRealm.java === RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/JDBCRealm.java,v retrieving revision 1.17 retrieving revision 1.18 diff -u -r1.17 -r1.18 --- JDBCRealm.java2001/09/06 03:43:11 1.17 +++ JDBCRealm.java2001/09/07 18:51:36 1.18 @@ -95,7 +95,7 @@ * @author Craig R. McClanahan * @author Carson McDonald * @author Ignacio Ortega -* @version $Revision: 1.17 $ $Date: 2001/09/06 03:43:11 $ +* @version $Revision: 1.18 $ $Date: 2001/09/07 18:51:36 $ */ public class JDBCRealm @@ -384,7 +384,7 @@ } // Validate the user's credentials -if (digest(credentials).equals(dbCredentials)) { +if (digest(credentials).equalsIgnoreCase(dbCredentials)) { if (debug >= 2) log(sm.getString("jdbcRealm.authenticateSuccess", username)); 1.4 +2 -2 jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/JNDIRealm.java Index: JNDIRealm.java === RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/JNDIRealm.java,v retrieving revision 1.3 retrieving revision 1.4 diff -u -r1.3 -r1.4 --- JNDIRealm.java2001/09/06 03:43:11 1.3 +++ JNDIRealm.java2001/09/07 18:51:36 1.4 @@ -144,7 +144,7 @@ * * @author John Holman * @author Craig R. McClanahan - * @version $Revision: 1.3 $ $Date: 2001/09/06 03:43:11 $ + * @version $Revision: 1.4 $ $Date: 2001/09/07 18:51:36 $ */ public class JNDIRealm extends RealmBase { @@ -750,7 +750,7 @@ // Validate the credentials specified by the user if (debug >= 3) log(" validating credentials"); -if (digest(credentials).equals(valueString)) { +if (digest(credentials).equalsIgnoreCase(valueString)) { if (debug >= 2) log(sm.getString("jndiRealm.authenticateSuccess", username)); 1.8 +5 -5 jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/MemoryRealm.java Index: MemoryRealm.java === RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/MemoryRealm.java,v retrieving revision 1.7 retrieving revision 1.8 diff -u -r1.7 -r1.8 --- MemoryRealm.java 2001/08/27 19:10:25 1.7 +++ MemoryRealm.java 2001/09/07 18:51:36 1.8 @@ -1,7 +1,7 @@ /* - * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/MemoryRealm.java,v 1.7 2001/08/27 19:10:25 craigmcc Exp $ - * $Revision: 1.7 $ - * $Date: 2001/08/27 19:10:25 $ + * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/MemoryRealm.java,v 1.8 2001/09/07 18:51:36 ccain Exp $ + * $Revision: 1.8 $ + * $Date: 2001/09/07 18:51:36 $ * * * @@ -95,7 +95,7 @@ * synchronization is performed around accesses to the principals collection. * * @author Craig R. McClanahan - * @version $Revision: 1.7 $ $Date: 2001/08/27 19:10:25 $ + * @version $Revision: 1.8 $ $Date: 2001/09/07 18:51:36 $ */ public final class MemoryRealm @@ -205,7 +205,7 @@ GenericPrincipal principal = (GenericPrincipal) principals.get(username); if ((principal != null) && -(digest(credentials).equals(principal.getPassword( { +(digest(credentials).equalsIgnoreCase(principal.getPassword( { if (debug >= 2) log(sm.getString("memoryRealm.authenticateSuccess", username)); return (principal);