qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aidan Skinner (JIRA)" <qpid-...@incubator.apache.org>
Subject [jira] Updated: (QPID-474) AmqPlain & Plain SaslServer don't check passwords
Date Mon, 07 Jul 2008 09:21:31 GMT

     [ https://issues.apache.org/jira/browse/QPID-474?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Aidan Skinner updated QPID-474:
-------------------------------

    Fix Version/s: M3

> AmqPlain & Plain SaslServer don't check passwords
> -------------------------------------------------
>
>                 Key: QPID-474
>                 URL: https://issues.apache.org/jira/browse/QPID-474
>             Project: Qpid
>          Issue Type: Bug
>          Components: Java Broker
>    Affects Versions: M1, M2, M2.1
>            Reporter: Martin Ritchie
>            Priority: Critical
>             Fix For: M3
>
>
> This is a snippet from the evaluateResponse method in AmqPlainSaslServer:
>             String pwd = new String(response, authcidNullPosition + 1, passwordLen, "utf8");
>             passwordCb.setPassword(pwd.toCharArray());
>             AuthorizeCallback authzCb = new AuthorizeCallback(authzid, authzid);
>             Callback[] callbacks = new Callback[]{nameCb, passwordCb, authzCb};
>             _cbh.handle(callbacks);
>             _complete = true;
> The authzCb is always set to true!!
> See the handler UsernamePasswordInitialiser
>              else if (callback instanceof AuthorizeCallback) {
>                     ((AuthorizeCallback) callback).setAuthorized(true);
> As a result this will always allow access. 
> (from AmqPlainSaslServer.evaluteResponse() .. follows on from above snippet)
>             if (authzCb.isAuthorized())
>             {
>                 _authorizationId = authzCb.getAuthenticationID();
>                 return null;
>             }
>             else
>             {
>                 throw new SaslException("Authentication failed");
>             }
> What needs to be done:
> This line is wrong: (from AmqPlainSaslServer)
>             passwordCb.setPassword(pwd.toCharArray());
> This is done in the PrincipalDatabases
> So after the handle call
> passwordCb.getPassword() should be compared to pwd verifying the password is correct.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message