You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Martin Ritchie (JIRA)" <qp...@incubator.apache.org> on 2007/04/26 14:21:15 UTC
[jira] Created: (QPID-474) PlainSaslServer doesn't check passwords
PlainSaslServer doesn't check passwords
---------------------------------------
Key: QPID-474
URL: https://issues.apache.org/jira/browse/QPID-474
Project: Qpid
Issue Type: Bug
Affects Versions: M1, M2
Reporter: Martin Ritchie
This is a snippet from the evaluateresponse method
String pwd = new String(response, authcidNullPosition + 1, passwordLen, "utf8");
passwordCb.setPassword(pwd.toCharArray());
AuthorizeCallback authzCb = new AuthorizeCallback(authzid, authzid);
Callback[] callbacks = new Callback[]{nameCb, passwordCb, authzCb};
_cbh.handle(callbacks);
_complete = true;
// the authzCb is allways set to true!!! see UsernamePasswordInitialiser
// else if (callback instanceof AuthorizeCallback) {
// ((AuthorizeCallback) callback).setAuthorized(true);
// so this will always allow access.
if (authzCb.isAuthorized())
{
_authorizationId = authzCb.getAuthenticationID();
return null;
}
else
{
throw new SaslException("Authentication failed");
}
What needs to be done:
This line is wrong:
passwordCb.setPassword(pwd.toCharArray());
This is done in the PrincipalDatabases
So after the handle call
passwordCb.getPassword() should be compared to pwd verifying the password is correct.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (QPID-474) AmqPlain & Plain SaslServer don't check
passwords
Posted by "Aidan Skinner (JIRA)" <qp...@incubator.apache.org>.
[ https://issues.apache.org/jira/browse/QPID-474?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Aidan Skinner resolved QPID-474.
--------------------------------
Resolution: Fixed
> AmqPlain & Plain SaslServer don't check passwords
> -------------------------------------------------
>
> Key: QPID-474
> URL: https://issues.apache.org/jira/browse/QPID-474
> Project: Qpid
> Issue Type: Bug
> Components: Java Broker
> Affects Versions: M1, M2, M2.1
> Reporter: Martin Ritchie
> Priority: Critical
> Fix For: M3
>
>
> This is a snippet from the evaluateResponse method in AmqPlainSaslServer:
> String pwd = new String(response, authcidNullPosition + 1, passwordLen, "utf8");
> passwordCb.setPassword(pwd.toCharArray());
> AuthorizeCallback authzCb = new AuthorizeCallback(authzid, authzid);
> Callback[] callbacks = new Callback[]{nameCb, passwordCb, authzCb};
> _cbh.handle(callbacks);
> _complete = true;
> The authzCb is always set to true!!
> See the handler UsernamePasswordInitialiser
> else if (callback instanceof AuthorizeCallback) {
> ((AuthorizeCallback) callback).setAuthorized(true);
> As a result this will always allow access.
> (from AmqPlainSaslServer.evaluteResponse() .. follows on from above snippet)
> if (authzCb.isAuthorized())
> {
> _authorizationId = authzCb.getAuthenticationID();
> return null;
> }
> else
> {
> throw new SaslException("Authentication failed");
> }
> What needs to be done:
> This line is wrong: (from AmqPlainSaslServer)
> passwordCb.setPassword(pwd.toCharArray());
> This is done in the PrincipalDatabases
> So after the handle call
> passwordCb.getPassword() should be compared to pwd verifying the password is correct.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (QPID-474) AmqPlain & Plain SaslServer don't check
passwords
Posted by "Martin Ritchie (JIRA)" <qp...@incubator.apache.org>.
[ https://issues.apache.org/jira/browse/QPID-474?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Martin Ritchie updated QPID-474:
--------------------------------
Summary: AmqPlain & Plain SaslServer don't check passwords (was: PlainSaslServer doesn't check passwords)
> AmqPlain & Plain SaslServer don't check passwords
> -------------------------------------------------
>
> Key: QPID-474
> URL: https://issues.apache.org/jira/browse/QPID-474
> Project: Qpid
> Issue Type: Bug
> Affects Versions: M1, M2
> Reporter: Martin Ritchie
>
> This is a snippet from the evaluateresponse method
> String pwd = new String(response, authcidNullPosition + 1, passwordLen, "utf8");
> passwordCb.setPassword(pwd.toCharArray());
> AuthorizeCallback authzCb = new AuthorizeCallback(authzid, authzid);
> Callback[] callbacks = new Callback[]{nameCb, passwordCb, authzCb};
> _cbh.handle(callbacks);
> _complete = true;
> // the authzCb is allways set to true!!! see UsernamePasswordInitialiser
> // else if (callback instanceof AuthorizeCallback) {
> // ((AuthorizeCallback) callback).setAuthorized(true);
> // so this will always allow access.
> if (authzCb.isAuthorized())
> {
> _authorizationId = authzCb.getAuthenticationID();
> return null;
> }
> else
> {
> throw new SaslException("Authentication failed");
> }
> What needs to be done:
> This line is wrong:
> passwordCb.setPassword(pwd.toCharArray());
> This is done in the PrincipalDatabases
> So after the handle call
> passwordCb.getPassword() should be compared to pwd verifying the password is correct.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (QPID-474) AmqPlain & Plain SaslServer don't check
passwords
Posted by "Martin Ritchie (JIRA)" <qp...@incubator.apache.org>.
[ https://issues.apache.org/jira/browse/QPID-474?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Martin Ritchie updated QPID-474:
--------------------------------
Component/s: Java Broker
Priority: Critical (was: Major)
Description:
This is a snippet from the evaluateResponse method in AmqPlainSaslServer:
String pwd = new String(response, authcidNullPosition + 1, passwordLen, "utf8");
passwordCb.setPassword(pwd.toCharArray());
AuthorizeCallback authzCb = new AuthorizeCallback(authzid, authzid);
Callback[] callbacks = new Callback[]{nameCb, passwordCb, authzCb};
_cbh.handle(callbacks);
_complete = true;
The authzCb is always set to true!!
See the handler UsernamePasswordInitialiser
else if (callback instanceof AuthorizeCallback) {
((AuthorizeCallback) callback).setAuthorized(true);
As a result this will always allow access.
(from AmqPlainSaslServer.evaluteResponse() .. follows on from above snippet)
if (authzCb.isAuthorized())
{
_authorizationId = authzCb.getAuthenticationID();
return null;
}
else
{
throw new SaslException("Authentication failed");
}
What needs to be done:
This line is wrong: (from AmqPlainSaslServer)
passwordCb.setPassword(pwd.toCharArray());
This is done in the PrincipalDatabases
So after the handle call
passwordCb.getPassword() should be compared to pwd verifying the password is correct.
was:
This is a snippet from the evaluateresponse method
String pwd = new String(response, authcidNullPosition + 1, passwordLen, "utf8");
passwordCb.setPassword(pwd.toCharArray());
AuthorizeCallback authzCb = new AuthorizeCallback(authzid, authzid);
Callback[] callbacks = new Callback[]{nameCb, passwordCb, authzCb};
_cbh.handle(callbacks);
_complete = true;
// the authzCb is allways set to true!!! see UsernamePasswordInitialiser
// else if (callback instanceof AuthorizeCallback) {
// ((AuthorizeCallback) callback).setAuthorized(true);
// so this will always allow access.
if (authzCb.isAuthorized())
{
_authorizationId = authzCb.getAuthenticationID();
return null;
}
else
{
throw new SaslException("Authentication failed");
}
What needs to be done:
This line is wrong:
passwordCb.setPassword(pwd.toCharArray());
This is done in the PrincipalDatabases
So after the handle call
passwordCb.getPassword() should be compared to pwd verifying the password is correct.
Affects Version/s: M2.1
> AmqPlain & Plain SaslServer don't check passwords
> -------------------------------------------------
>
> Key: QPID-474
> URL: https://issues.apache.org/jira/browse/QPID-474
> Project: Qpid
> Issue Type: Bug
> Components: Java Broker
> Affects Versions: M1, M2, M2.1
> Reporter: Martin Ritchie
> Priority: Critical
>
> This is a snippet from the evaluateResponse method in AmqPlainSaslServer:
> String pwd = new String(response, authcidNullPosition + 1, passwordLen, "utf8");
> passwordCb.setPassword(pwd.toCharArray());
> AuthorizeCallback authzCb = new AuthorizeCallback(authzid, authzid);
> Callback[] callbacks = new Callback[]{nameCb, passwordCb, authzCb};
> _cbh.handle(callbacks);
> _complete = true;
> The authzCb is always set to true!!
> See the handler UsernamePasswordInitialiser
> else if (callback instanceof AuthorizeCallback) {
> ((AuthorizeCallback) callback).setAuthorized(true);
> As a result this will always allow access.
> (from AmqPlainSaslServer.evaluteResponse() .. follows on from above snippet)
> if (authzCb.isAuthorized())
> {
> _authorizationId = authzCb.getAuthenticationID();
> return null;
> }
> else
> {
> throw new SaslException("Authentication failed");
> }
> What needs to be done:
> This line is wrong: (from AmqPlainSaslServer)
> passwordCb.setPassword(pwd.toCharArray());
> This is done in the PrincipalDatabases
> So after the handle call
> passwordCb.getPassword() should be compared to pwd verifying the password is correct.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (QPID-474) AmqPlain & Plain SaslServer don't check
passwords
Posted by "Aidan Skinner (JIRA)" <qp...@incubator.apache.org>.
[ https://issues.apache.org/jira/browse/QPID-474?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Aidan Skinner updated QPID-474:
-------------------------------
Assignee: Aidan Skinner
> AmqPlain & Plain SaslServer don't check passwords
> -------------------------------------------------
>
> Key: QPID-474
> URL: https://issues.apache.org/jira/browse/QPID-474
> Project: Qpid
> Issue Type: Bug
> Components: Java Broker
> Affects Versions: M1, M2, M2.1
> Reporter: Martin Ritchie
> Assignee: Aidan Skinner
> Priority: Critical
> Fix For: M3
>
>
> This is a snippet from the evaluateResponse method in AmqPlainSaslServer:
> String pwd = new String(response, authcidNullPosition + 1, passwordLen, "utf8");
> passwordCb.setPassword(pwd.toCharArray());
> AuthorizeCallback authzCb = new AuthorizeCallback(authzid, authzid);
> Callback[] callbacks = new Callback[]{nameCb, passwordCb, authzCb};
> _cbh.handle(callbacks);
> _complete = true;
> The authzCb is always set to true!!
> See the handler UsernamePasswordInitialiser
> else if (callback instanceof AuthorizeCallback) {
> ((AuthorizeCallback) callback).setAuthorized(true);
> As a result this will always allow access.
> (from AmqPlainSaslServer.evaluteResponse() .. follows on from above snippet)
> if (authzCb.isAuthorized())
> {
> _authorizationId = authzCb.getAuthenticationID();
> return null;
> }
> else
> {
> throw new SaslException("Authentication failed");
> }
> What needs to be done:
> This line is wrong: (from AmqPlainSaslServer)
> passwordCb.setPassword(pwd.toCharArray());
> This is done in the PrincipalDatabases
> So after the handle call
> passwordCb.getPassword() should be compared to pwd verifying the password is correct.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (QPID-474) AmqPlain & Plain SaslServer don't check
passwords
Posted by "Aidan Skinner (JIRA)" <qp...@incubator.apache.org>.
[ https://issues.apache.org/jira/browse/QPID-474?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Aidan Skinner updated QPID-474:
-------------------------------
Fix Version/s: M3
> AmqPlain & Plain SaslServer don't check passwords
> -------------------------------------------------
>
> Key: QPID-474
> URL: https://issues.apache.org/jira/browse/QPID-474
> Project: Qpid
> Issue Type: Bug
> Components: Java Broker
> Affects Versions: M1, M2, M2.1
> Reporter: Martin Ritchie
> Priority: Critical
> Fix For: M3
>
>
> This is a snippet from the evaluateResponse method in AmqPlainSaslServer:
> String pwd = new String(response, authcidNullPosition + 1, passwordLen, "utf8");
> passwordCb.setPassword(pwd.toCharArray());
> AuthorizeCallback authzCb = new AuthorizeCallback(authzid, authzid);
> Callback[] callbacks = new Callback[]{nameCb, passwordCb, authzCb};
> _cbh.handle(callbacks);
> _complete = true;
> The authzCb is always set to true!!
> See the handler UsernamePasswordInitialiser
> else if (callback instanceof AuthorizeCallback) {
> ((AuthorizeCallback) callback).setAuthorized(true);
> As a result this will always allow access.
> (from AmqPlainSaslServer.evaluteResponse() .. follows on from above snippet)
> if (authzCb.isAuthorized())
> {
> _authorizationId = authzCb.getAuthenticationID();
> return null;
> }
> else
> {
> throw new SaslException("Authentication failed");
> }
> What needs to be done:
> This line is wrong: (from AmqPlainSaslServer)
> passwordCb.setPassword(pwd.toCharArray());
> This is done in the PrincipalDatabases
> So after the handle call
> passwordCb.getPassword() should be compared to pwd verifying the password is correct.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.