karaf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Glen Mazza <gma...@talend.com>
Subject Re: svn commit: r1188029...
Date Mon, 24 Oct 2011 13:55:45 GMT
Are you sure on this Freeman?  Normally you don't want to give Bad Guy a 
hint that he's found a correct Username -- so any username/password 
failure should return a generic "authentication failed" error.

Glen

On 10/24/2011 02:32 AM, ffang@apache.org wrote:
> Author: ffang
> Date: Mon Oct 24 06:32:56 2011
> New Revision: 1188029
>
> URL: http://svn.apache.org/viewvc?rev=1188029&view=rev
> Log:
> [KARAF-956]jaas module by default should throw generic FailedLoginException
>
> Modified:
>      karaf/branches/karaf-2.2.x/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/AbstractKarafLoginModule.java
>      karaf/branches/karaf-2.2.x/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/jdbc/JDBCLoginModule.java
>      karaf/branches/karaf-2.2.x/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/osgi/OsgiConfigLoginModule.java
>      karaf/branches/karaf-2.2.x/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/properties/PropertiesLoginModule.java
>      karaf/branches/karaf-2.2.x/jaas/modules/src/main/resources/OSGI-INF/blueprint/karaf-jaas-module.xml
>
>
> Modified: karaf/branches/karaf-2.2.x/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/jdbc/JDBCLoginModule.java
> URL: http://svn.apache.org/viewvc/karaf/branches/karaf-2.2.x/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/jdbc/JDBCLoginModule.java?rev=1188029&r1=1188028&r2=1188029&view=diff
> ==============================================================================
> --- karaf/branches/karaf-2.2.x/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/jdbc/JDBCLoginModule.java
(original)
> +++ karaf/branches/karaf-2.2.x/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/jdbc/JDBCLoginModule.java
Mon Oct 24 06:32:56 2011
> @@ -118,12 +118,20 @@ public class JDBCLoginModule extends Abs
>               passwordResultSet = passwordStatement.executeQuery();
>
>               if (!passwordResultSet.next()) {
> -                throw new LoginException("User " + user + " does not exist");
> +            	if (!this.detailedLoginExcepion) {
> +            		throw new LoginException("login failed");
> +            	} else {
> +            		throw new LoginException("User " + user + " does not exist");
> +            	}
>               } else {
>                   String storedPassword = passwordResultSet.getString(1);
>
>                   if (!checkPassword(password, storedPassword)) {
> -                    throw new LoginException("Password for " + user + " does not match");
> +                	if (!this.detailedLoginExcepion) {
> +                		throw new LoginException("login failed");
> +                	} else {
> +                		throw new LoginException("Password for " + user + " does not match");
> +                	}
>                   }
>                   principals.add(new UserPrincipal(user));
>               }
>
> Modified: karaf/branches/karaf-2.2.x/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/osgi/OsgiConfigLoginModule.java
> URL: http://svn.apache.org/viewvc/karaf/branches/karaf-2.2.x/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/osgi/OsgiConfigLoginModule.java?rev=1188029&r1=1188028&r2=1188029&view=diff
> ==============================================================================
> --- karaf/branches/karaf-2.2.x/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/osgi/OsgiConfigLoginModule.java
(original)
> +++ karaf/branches/karaf-2.2.x/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/osgi/OsgiConfigLoginModule.java
Mon Oct 24 06:32:56 2011
> @@ -68,14 +68,22 @@ public class OsgiConfigLoginModule exten
>
>               String userInfos = (String) properties.get(USER_PREFIX + user);
>               if (userInfos == null) {
> -                throw new FailedLoginException("User does not exist");
> +            	if (!this.detailedLoginExcepion) {
> +            		throw new FailedLoginException("login failed");
> +            	} else {
> +            		throw new FailedLoginException("User does not exist");
> +            	}
>               }
>               String[] infos = userInfos.split(",");
>               String storedPassword = infos[0];
>
>               // check the provided password
>               if (!checkPassword(password, storedPassword)) {
> -                throw new FailedLoginException("Password for " + user + " does not match");
> +            	if (!this.detailedLoginExcepion) {
> +            		throw new FailedLoginException("login failed");
> +            	} else {
> +            		throw new FailedLoginException("Password for " + user + " does not match");
> +            	}
>               }
>
>               principals = new HashSet<Principal>();
>
> Modified: karaf/branches/karaf-2.2.x/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/properties/PropertiesLoginModule.java
> URL: http://svn.apache.org/viewvc/karaf/branches/karaf-2.2.x/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/properties/PropertiesLoginModule.java?rev=1188029&r1=1188028&r2=1188029&view=diff
> ==============================================================================
> --- karaf/branches/karaf-2.2.x/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/properties/PropertiesLoginModule.java
(original)
> +++ karaf/branches/karaf-2.2.x/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/properties/PropertiesLoginModule.java
Mon Oct 24 06:32:56 2011
> @@ -95,7 +95,11 @@ public class PropertiesLoginModule exten
>               //error handled in the next statement
>           }
>           if (userInfos == null) {
> -            throw new FailedLoginException("User " + user + " does not exist");
> +        	if (!this.detailedLoginExcepion) {
> +        		throw new FailedLoginException("login failed");
> +        	} else {
> +        		throw new FailedLoginException("User " + user + " does not exist");
> +        	}
>           }
>
>           // the password is in the first position
> @@ -136,7 +140,11 @@ public class PropertiesLoginModule exten
>
>           // check the provided password
>           if (!checkPassword(password, storedPassword)) {
> -            throw new FailedLoginException("Password for " + user + " does not match");
> +        	if (!this.detailedLoginExcepion) {
> +        		throw new FailedLoginException("login failed");
> +        	} else {
> +        		throw new FailedLoginException("Password for " + user + " does not match");
> +        	}
>           }
>
>           principals = new HashSet<Principal>();
>
> Modified: karaf/branches/karaf-2.2.x/jaas/modules/src/main/resources/OSGI-INF/blueprint/karaf-jaas-module.xml
> URL: http://svn.apache.org/viewvc/karaf/branches/karaf-2.2.x/jaas/modules/src/main/resources/OSGI-INF/blueprint/karaf-jaas-module.xml?rev=1188029&r1=1188028&r2=1188029&view=diff
> ==============================================================================
> --- karaf/branches/karaf-2.2.x/jaas/modules/src/main/resources/OSGI-INF/blueprint/karaf-jaas-module.xml
(original)
> +++ karaf/branches/karaf-2.2.x/jaas/modules/src/main/resources/OSGI-INF/blueprint/karaf-jaas-module.xml
Mon Oct 24 06:32:56 2011
> @@ -32,6 +32,7 @@
>       <!-- AdminConfig property place holder for the org.apache.karaf.jaas  -->
>       <cm:property-placeholder persistent-id="org.apache.karaf.jaas" update-strategy="reload">
>           <cm:default-properties>
> +<cm:property name="detailed.login.exception" value="false"/>
>               <cm:property name="encryption.name" value=""/>
>               <cm:property name="encryption.enabled" value="false"/>
>               <cm:property name="encryption.prefix" value="{CRYPT}"/>
> @@ -44,6 +45,7 @@
>       <jaas:config name="karaf">
>           <jaas:module className="org.apache.karaf.jaas.modules.properties.PropertiesLoginModule"
flags="required">
>               users = $[karaf.base]/etc/users.properties
> +            detailed.login.exception = ${detailed.login.exception}
>               encryption.name = ${encryption.name}
>               encryption.enabled = ${encryption.enabled}
>               encryption.prefix = ${encryption.prefix}
>
>


-- 
Glen Mazza
Talend - http://www.talend.com/apache
Blog - http://tinyurl.com/glen-blog-index
Twitter - glenmazza


Mime
View raw message