-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Sreyan,
On 9/9/15 9:45 AM, Christopher Schultz wrote: > On 9/7/15 2:17 PM, Sreyan Chakravarty wrote: >> I have found the cause of the problem. It seems that there is no >> null checking in the DataSourceRealm in Tomcat. What I mean is >> that if a particular user does not exist in the database and is >> credentials are returned as a null string then no null checking >> is specified. > >> I would like to open this as a bug. > > https://bz.apache.org/bugzilla/enter_bug.cgi?product=Tomcat%208 > > Before you file a bug: > > 1. Make sure you test on Tomcat 8.0.26 2. Make sure you post a > stack trace from the NPE 3. If you can provide a simple test-case, > it would be helpful > >> The easiest solution is to write a custom Realm that provides >> the null checking. The only problem is that now why am I not >> being redirected to the error page if I provide a valid user with >> a wrong password. > > If the authenticate() method returns false, then Tomcat should > send the user to the form-error-page. It may not issue a redirect, > but instead perform a forward. Is that a problem? > >> Please if anyone can tell me how to write a custom Realm then it >> would be really appreciated. > > If this really is a bug, it should be fixed. I'm skeptical at this > point, since nobody has reported this yet. It would be a fairly big > bug. Confirmed by code inspection that Tomcat does not check the return value from DataSourceRealm.getPassword. Exactly where the bug lies is a matter of opinion: 1. DataSourceRealm blindly passes the stored credential to the CredentialHandler 2. MessageDigestCredentialHandler.matches() performs null-checking of its arguments 3. SecretKeyCredentialHandler.matches() does not perform such null-checking I think it's appropriate for the entire system to waste a little time performing the credential-checking algorithm when the username is invalid because it mitigates timing-analysis used to perform user enumeration. That could be done in each of the individual CredentialHandler classes, or it could be done in the Realm itself. I would argue it makes sense to do in the Realm, but the handler itself could implement such a mechanism, too. Opinions are welcome. Please log the bug. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJV8Do2AAoJEBzwKT+lPKRYNQEP/R1W9tPPrkmRCJMpy+JT63Y1 GcUblu/0ho1xGd0/NQerpOrePJlAL94RPTkEBCw26DjHZOZ6ehYjgXHBApCIFmze LIMlI/x1xe63YgYx19VTCmGv48kLJa97XuoDgHa0Uo2RrAvtG7SaoIiBbFGoI+ID J+Ki0ntNvRZshrp4I9GvN9o+HpX19MVmW0Sj58P5a2DpdxwavF3gFRzgpkq8Rxdy W+Unbpx4/klI5Gp1W/bp+5j5u8xAS0+KxtsWxzD9ujjHhCCteDqr+2xZVmv4pR3P NUlHIdNa6ufOAP6TPM0eQTlFiyx2zRAAJlogCJ1jdYgWe2buaFvmPmFUG8q8JCLQ ggdVhtYo4qT1NNr+C0JWvYpmE25IlQN462cIXbcLV43wTReVaNDeeaVWQgwZLiMa 3TVS9C5UNGhSVKwPJriHsOECogaswA2fgJSUmDo25zaUAPTul7tT4TsxWbvKuTMI QUhAwsm5kqWhv8j9SbphMkmTG2lBBJDczZlemdjHGxofO3dH6q0TtLeR/1ipy9MN FML+r3P3D/l08pIPFbU1d2WT32Fvk77f2+x7Zijjx7XJH0gzZT3cGL4z3VtQPfFn 6ulWUT6EMsW4g59NEsWyWUPwoQxdyzbXq3QTgygHslEC4vNlOmoewz3uCJLWm0Gd MjZcERouuPKa+PiNJBuE =l21+ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
