Author: markt Date: Thu Sep 25 19:33:07 2014 New Revision: 1627607 URL: http://svn.apache.org/r1627607 Log: Review comment 5 from schultz Validate stored credential
Modified: tomcat/trunk/java/org/apache/catalina/realm/CredentialHandlerBase.java tomcat/trunk/java/org/apache/catalina/realm/LocalStrings.properties tomcat/trunk/java/org/apache/catalina/realm/MessageDigestCredentialHandler.java tomcat/trunk/java/org/apache/catalina/realm/PBECredentialHandler.java Modified: tomcat/trunk/java/org/apache/catalina/realm/CredentialHandlerBase.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/CredentialHandlerBase.java?rev=1627607&r1=1627606&r2=1627607&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/catalina/realm/CredentialHandlerBase.java (original) +++ tomcat/trunk/java/org/apache/catalina/realm/CredentialHandlerBase.java Thu Sep 25 19:33:07 2014 @@ -21,6 +21,7 @@ import java.security.SecureRandom; import java.util.Random; import org.apache.catalina.CredentialHandler; +import org.apache.juli.logging.Log; import org.apache.tomcat.util.buf.HexUtils; import org.apache.tomcat.util.res.StringManager; @@ -96,6 +97,15 @@ public abstract class CredentialHandlerB int sep1 = storedCredentials.indexOf('$'); int sep2 = storedCredentials.indexOf('$', sep1 + 1); + if (sep1 < 0 || sep2 < 0) { + // Stored credentials are invalid + // Logging credentials could be a security concern but they are + // invalid and that is a bigger problem + getLog().warn(sm.getString("credentialHandler.invalidStoredCredential", + storedCredentials)); + return false; + } + String hexSalt = storedCredentials.substring(0, sep1); int iterations = Integer.parseInt(storedCredentials.substring(sep1 + 1, sep2)); @@ -128,4 +138,10 @@ public abstract class CredentialHandlerB * {@link CredentialHandler}. */ protected abstract int getDefaultIterations(); + + + /** + * Obtain the logger for the CredentialHandler instance. + */ + protected abstract Log getLog(); } Modified: tomcat/trunk/java/org/apache/catalina/realm/LocalStrings.properties URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/LocalStrings.properties?rev=1627607&r1=1627606&r2=1627607&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/catalina/realm/LocalStrings.properties (original) +++ tomcat/trunk/java/org/apache/catalina/realm/LocalStrings.properties Thu Sep 25 19:33:07 2014 @@ -83,5 +83,6 @@ combinedRealm.addRealm=Add "{0}" realm, combinedRealm.realmStartFail=Failed to start "{0}" realm lockOutRealm.authLockedUser=An attempt was made to authenticate the locked user "{0}" lockOutRealm.removeWarning=User "{0}" was removed from the failed users cache after {1} seconds to keep the cache size within the limit set +credentialHandler.invalidStoredCredential=The invalid stored credential string [{0}] was provided by the Realm to match with the user provided credentials mdCredentialHandler.unknownEncoding=The encoding [{0}] is not supported so the current setting of [{1}] will still be used pbeCredentialHandler.invalidKeySpec=Unable to generate a password based key \ No newline at end of file Modified: tomcat/trunk/java/org/apache/catalina/realm/MessageDigestCredentialHandler.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/MessageDigestCredentialHandler.java?rev=1627607&r1=1627606&r2=1627607&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/catalina/realm/MessageDigestCredentialHandler.java (original) +++ tomcat/trunk/java/org/apache/catalina/realm/MessageDigestCredentialHandler.java Thu Sep 25 19:33:07 2014 @@ -178,4 +178,10 @@ public class MessageDigestCredentialHand protected int getDefaultIterations() { return DEFAULT_ITERATIONS; } + + + @Override + protected Log getLog() { + return log; + } } Modified: tomcat/trunk/java/org/apache/catalina/realm/PBECredentialHandler.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/PBECredentialHandler.java?rev=1627607&r1=1627606&r2=1627607&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/catalina/realm/PBECredentialHandler.java (original) +++ tomcat/trunk/java/org/apache/catalina/realm/PBECredentialHandler.java Thu Sep 25 19:33:07 2014 @@ -90,4 +90,10 @@ public class PBECredentialHandler extend protected int getDefaultIterations() { return DEFAULT_ITERATIONS; } + + + @Override + protected Log getLog() { + return log; + } } --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org