svn commit: r1627607 - in /tomcat/trunk/java/org/apache/catalina/realm: CredentialHandlerBase.java LocalStrings.properties MessageDigestCredentialHandler.java PBECredentialHandler.java

[markt]

Author: markt
Date: Thu Sep 25 19:33:07 2014
New Revision: 1627607

URL: http://svn.apache.org/r1627607
Log:
Review comment 5 from schultz
Validate stored credential

Modified:
    tomcat/trunk/java/org/apache/catalina/realm/CredentialHandlerBase.java
    tomcat/trunk/java/org/apache/catalina/realm/LocalStrings.properties
    
tomcat/trunk/java/org/apache/catalina/realm/MessageDigestCredentialHandler.java
    tomcat/trunk/java/org/apache/catalina/realm/PBECredentialHandler.java

Modified: tomcat/trunk/java/org/apache/catalina/realm/CredentialHandlerBase.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/CredentialHandlerBase.java?rev=1627607&r1=1627606&r2=1627607&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/realm/CredentialHandlerBase.java 
(original)
+++ tomcat/trunk/java/org/apache/catalina/realm/CredentialHandlerBase.java Thu 
Sep 25 19:33:07 2014
@@ -21,6 +21,7 @@ import java.security.SecureRandom;
 import java.util.Random;
 
 import org.apache.catalina.CredentialHandler;
+import org.apache.juli.logging.Log;
 import org.apache.tomcat.util.buf.HexUtils;
 import org.apache.tomcat.util.res.StringManager;
 
@@ -96,6 +97,15 @@ public abstract class CredentialHandlerB
         int sep1 = storedCredentials.indexOf('$');
         int sep2 = storedCredentials.indexOf('$', sep1 + 1);
 
+        if (sep1 < 0 || sep2 < 0) {
+            // Stored credentials are invalid
+            // Logging credentials could be a security concern but they are
+            // invalid and that is a bigger problem
+            
getLog().warn(sm.getString("credentialHandler.invalidStoredCredential",
+                    storedCredentials));
+            return false;
+        }
+
         String hexSalt = storedCredentials.substring(0,  sep1);
 
         int iterations = Integer.parseInt(storedCredentials.substring(sep1 + 
1, sep2));
@@ -128,4 +138,10 @@ public abstract class CredentialHandlerB
      * {@link CredentialHandler}.
      */
     protected abstract int getDefaultIterations();
+
+
+    /**
+     * Obtain the logger for the CredentialHandler instance.
+     */
+    protected abstract Log getLog();
 }

Modified: tomcat/trunk/java/org/apache/catalina/realm/LocalStrings.properties
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/LocalStrings.properties?rev=1627607&r1=1627606&r2=1627607&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/realm/LocalStrings.properties 
(original)
+++ tomcat/trunk/java/org/apache/catalina/realm/LocalStrings.properties Thu Sep 
25 19:33:07 2014
@@ -83,5 +83,6 @@ combinedRealm.addRealm=Add "{0}" realm, 
 combinedRealm.realmStartFail=Failed to start "{0}" realm
 lockOutRealm.authLockedUser=An attempt was made to authenticate the locked 
user "{0}"
 lockOutRealm.removeWarning=User "{0}" was removed from the failed users cache 
after {1} seconds to keep the cache size within the limit set
+credentialHandler.invalidStoredCredential=The invalid stored credential string 
[{0}] was provided by the Realm to match with the user provided credentials
 mdCredentialHandler.unknownEncoding=The encoding [{0}] is not supported so the 
current setting of [{1}] will still be used
 pbeCredentialHandler.invalidKeySpec=Unable to generate a password based key
\ No newline at end of file

Modified: 
tomcat/trunk/java/org/apache/catalina/realm/MessageDigestCredentialHandler.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/MessageDigestCredentialHandler.java?rev=1627607&r1=1627606&r2=1627607&view=diff
==============================================================================
--- 
tomcat/trunk/java/org/apache/catalina/realm/MessageDigestCredentialHandler.java 
(original)
+++ 
tomcat/trunk/java/org/apache/catalina/realm/MessageDigestCredentialHandler.java 
Thu Sep 25 19:33:07 2014
@@ -178,4 +178,10 @@ public class MessageDigestCredentialHand
     protected int getDefaultIterations() {
         return DEFAULT_ITERATIONS;
     }
+
+
+    @Override
+    protected Log getLog() {
+        return log;
+    }
 }

Modified: tomcat/trunk/java/org/apache/catalina/realm/PBECredentialHandler.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/PBECredentialHandler.java?rev=1627607&r1=1627606&r2=1627607&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/realm/PBECredentialHandler.java 
(original)
+++ tomcat/trunk/java/org/apache/catalina/realm/PBECredentialHandler.java Thu 
Sep 25 19:33:07 2014
@@ -90,4 +90,10 @@ public class PBECredentialHandler extend
     protected int getDefaultIterations() {
         return DEFAULT_ITERATIONS;
     }
+
+
+    @Override
+    protected Log getLog() {
+        return log;
+    }
 }



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org