You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@accumulo.apache.org by "Christopher Tubbs (JIRA)" <ji...@apache.org> on 2014/04/18 22:53:16 UTC
[jira] [Updated] (ACCUMULO-2700)
SecurityOperation.authenticateSystemUser fails to properly validate system
user
[ https://issues.apache.org/jira/browse/ACCUMULO-2700?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Christopher Tubbs updated ACCUMULO-2700:
----------------------------------------
Summary: SecurityOperation.authenticateSystemUser fails to properly validate system user (was: SecurityToken.authenticateSystemUser fails to properly validate system user)
> SecurityOperation.authenticateSystemUser fails to properly validate system user
> -------------------------------------------------------------------------------
>
> Key: ACCUMULO-2700
> URL: https://issues.apache.org/jira/browse/ACCUMULO-2700
> Project: Accumulo
> Issue Type: Bug
> Reporter: Christopher Tubbs
> Assignee: Christopher Tubbs
> Priority: Blocker
> Fix For: 1.6.0
>
>
> FindBugs found in the 1.6.0-SNAPSHOT branch that {{SecurityOperation.authenticateSystemUser(TCredentials credentials)}} does an improper comparison (equals) between AuthenticationToken and byte array.
> Additionally, upon visual inspection, it looks like the condition is not'd (missing a ! to throw the exception when the credentials don't match).
> The result appears to be that the system user is always authenticated, even if the credentials don't match. I haven't checked 1.5 yet to see if the bug applies there also.
--
This message was sent by Atlassian JIRA
(v6.2#6252)