You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by "Ignacio J. Ortega" <na...@siapi.es> on 2001/09/07 21:34:11 UTC
RE: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/
catalina/realm JDBCRealm.java JNDIRealm.java MemoryRealm.java
Hola Christopher:
I think this change is not good, as it does *all* passwords case
insensitive, regardles of the use of digest or not.., i think plain
passwords need to be case sensitive ..
Saludos ,
Ignacio J. Ortega
> -----Mensaje original-----
> De: ccain@apache.org [mailto:ccain@apache.org]
> Enviado el: viernes 7 de septiembre de 2001 20:52
> Para: jakarta-tomcat-4.0-cvs@apache.org
> Asunto: cvs commit:
> jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm
> JDBCRealm.java JNDIRealm.java MemoryRealm.java
>
>
> ccain 01/09/07 11:51:36
>
> Modified: catalina/src/share/org/apache/catalina/realm
> JDBCRealm.java
> JNDIRealm.java MemoryRealm.java
> Log:
> Change comparison of hex digests (in authentication) to be
> case-insensitive, as base16 values themselves are case-insensitive.
>
> Revision Changes Path
> 1.18 +2 -2
> jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/real
> m/JDBCRealm.java
>
> Index: JDBCRealm.java
> ===================================================================
> RCS file:
> /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/cat
> alina/realm/JDBCRealm.java,v
> retrieving revision 1.17
> retrieving revision 1.18
> diff -u -r1.17 -r1.18
> --- JDBCRealm.java 2001/09/06 03:43:11 1.17
> +++ JDBCRealm.java 2001/09/07 18:51:36 1.18
> @@ -95,7 +95,7 @@
> * @author Craig R. McClanahan
> * @author Carson McDonald
> * @author Ignacio Ortega
> -* @version $Revision: 1.17 $ $Date: 2001/09/06 03:43:11 $
> +* @version $Revision: 1.18 $ $Date: 2001/09/07 18:51:36 $
> */
>
> public class JDBCRealm
> @@ -384,7 +384,7 @@
> }
>
> // Validate the user's credentials
> - if (digest(credentials).equals(dbCredentials)) {
> + if (digest(credentials).equalsIgnoreCase(dbCredentials)) {
> if (debug >= 2)
> log(sm.getString("jdbcRealm.authenticateSuccess",
> username));
>
>
>
> 1.4 +2 -2
> jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/real
> m/JNDIRealm.java
>
> Index: JNDIRealm.java
> ===================================================================
> RCS file:
> /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/cat
> alina/realm/JNDIRealm.java,v
> retrieving revision 1.3
> retrieving revision 1.4
> diff -u -r1.3 -r1.4
> --- JNDIRealm.java 2001/09/06 03:43:11 1.3
> +++ JNDIRealm.java 2001/09/07 18:51:36 1.4
> @@ -144,7 +144,7 @@
> *
> * @author John Holman
> * @author Craig R. McClanahan
> - * @version $Revision: 1.3 $ $Date: 2001/09/06 03:43:11 $
> + * @version $Revision: 1.4 $ $Date: 2001/09/07 18:51:36 $
> */
>
> public class JNDIRealm extends RealmBase {
> @@ -750,7 +750,7 @@
> // Validate the credentials specified by the user
> if (debug >= 3)
> log(" validating credentials");
> - if (digest(credentials).equals(valueString)) {
> + if (digest(credentials).equalsIgnoreCase(valueString)) {
> if (debug >= 2)
> log(sm.getString("jndiRealm.authenticateSuccess",
> username));
>
>
>
> 1.8 +5 -5
> jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/real
> m/MemoryRealm.java
>
> Index: MemoryRealm.java
> ===================================================================
> RCS file:
> /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/cat
> alina/realm/MemoryRealm.java,v
> retrieving revision 1.7
> retrieving revision 1.8
> diff -u -r1.7 -r1.8
> --- MemoryRealm.java 2001/08/27 19:10:25 1.7
> +++ MemoryRealm.java 2001/09/07 18:51:36 1.8
> @@ -1,7 +1,7 @@
> /*
> - * $Header:
> /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/cat
> alina/realm/MemoryRealm.java,v 1.7 2001/08/27 19:10:25 craigmcc Exp $
> - * $Revision: 1.7 $
> - * $Date: 2001/08/27 19:10:25 $
> + * $Header:
> /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/cat
> alina/realm/MemoryRealm.java,v 1.8 2001/09/07 18:51:36 ccain Exp $
> + * $Revision: 1.8 $
> + * $Date: 2001/09/07 18:51:36 $
> *
> *
> ====================================================================
> *
> @@ -95,7 +95,7 @@
> * synchronization is performed around accesses to the
> principals collection.
> *
> * @author Craig R. McClanahan
> - * @version $Revision: 1.7 $ $Date: 2001/08/27 19:10:25 $
> + * @version $Revision: 1.8 $ $Date: 2001/09/07 18:51:36 $
> */
>
> public final class MemoryRealm
> @@ -205,7 +205,7 @@
> GenericPrincipal principal =
> (GenericPrincipal) principals.get(username);
> if ((principal != null) &&
> -
> (digest(credentials).equals(principal.getPassword()))) {
> +
> (digest(credentials).equalsIgnoreCase(principal.getPassword()))) {
> if (debug >= 2)
>
> log(sm.getString("memoryRealm.authenticateSuccess", username));
> return (principal);
>
>
>
>
Re: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/ catalina/realm JDBCRealm.java JNDIRealm.java MemoryRealm.java
Posted by Christopher Cain <cc...@mhsoftware.com>.
You're right ... d'oh! I assumed that a method called "digest" returned
a digest. I guess I should not assume so often =)
My bad ... but in some slight manor of defense, that method call is
poorly named :)
I'll repair this immediately.
- Christopher
Ignacio J. Ortega wrote:
> Hola Christopher:
>
> I think this change is not good, as it does *all* passwords case
> insensitive, regardles of the use of digest or not.., i think plain
> passwords need to be case sensitive ..
>
>
> Saludos ,
> Ignacio J. Ortega
>
>
>
>>-----Mensaje original-----
>>De: ccain@apache.org [mailto:ccain@apache.org]
>>Enviado el: viernes 7 de septiembre de 2001 20:52
>>Para: jakarta-tomcat-4.0-cvs@apache.org
>>Asunto: cvs commit:
>>jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm
>>JDBCRealm.java JNDIRealm.java MemoryRealm.java
>>
>>
>>ccain 01/09/07 11:51:36
>>
>> Modified: catalina/src/share/org/apache/catalina/realm
>>JDBCRealm.java
>> JNDIRealm.java MemoryRealm.java
>> Log:
>> Change comparison of hex digests (in authentication) to be
>> case-insensitive, as base16 values themselves are case-insensitive.
>>
>> Revision Changes Path
>> 1.18 +2 -2
>>jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/real
>>m/JDBCRealm.java
>>
>> Index: JDBCRealm.java
>> ===================================================================
>> RCS file:
>>/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/cat
>>alina/realm/JDBCRealm.java,v
>> retrieving revision 1.17
>> retrieving revision 1.18
>> diff -u -r1.17 -r1.18
>> --- JDBCRealm.java 2001/09/06 03:43:11 1.17
>> +++ JDBCRealm.java 2001/09/07 18:51:36 1.18
>> @@ -95,7 +95,7 @@
>> * @author Craig R. McClanahan
>> * @author Carson McDonald
>> * @author Ignacio Ortega
>> -* @version $Revision: 1.17 $ $Date: 2001/09/06 03:43:11 $
>> +* @version $Revision: 1.18 $ $Date: 2001/09/07 18:51:36 $
>> */
>>
>> public class JDBCRealm
>> @@ -384,7 +384,7 @@
>> }
>>
>> // Validate the user's credentials
>> - if (digest(credentials).equals(dbCredentials)) {
>> + if (digest(credentials).equalsIgnoreCase(dbCredentials)) {
>> if (debug >= 2)
>> log(sm.getString("jdbcRealm.authenticateSuccess",
>> username));
>>
>>
>>
>> 1.4 +2 -2
>>jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/real
>>m/JNDIRealm.java
>>
>> Index: JNDIRealm.java
>> ===================================================================
>> RCS file:
>>/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/cat
>>alina/realm/JNDIRealm.java,v
>> retrieving revision 1.3
>> retrieving revision 1.4
>> diff -u -r1.3 -r1.4
>> --- JNDIRealm.java 2001/09/06 03:43:11 1.3
>> +++ JNDIRealm.java 2001/09/07 18:51:36 1.4
>> @@ -144,7 +144,7 @@
>> *
>> * @author John Holman
>> * @author Craig R. McClanahan
>> - * @version $Revision: 1.3 $ $Date: 2001/09/06 03:43:11 $
>> + * @version $Revision: 1.4 $ $Date: 2001/09/07 18:51:36 $
>> */
>>
>> public class JNDIRealm extends RealmBase {
>> @@ -750,7 +750,7 @@
>> // Validate the credentials specified by the user
>> if (debug >= 3)
>> log(" validating credentials");
>> - if (digest(credentials).equals(valueString)) {
>> + if (digest(credentials).equalsIgnoreCase(valueString)) {
>> if (debug >= 2)
>> log(sm.getString("jndiRealm.authenticateSuccess",
>> username));
>>
>>
>>
>> 1.8 +5 -5
>>jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/real
>>m/MemoryRealm.java
>>
>> Index: MemoryRealm.java
>> ===================================================================
>> RCS file:
>>/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/cat
>>alina/realm/MemoryRealm.java,v
>> retrieving revision 1.7
>> retrieving revision 1.8
>> diff -u -r1.7 -r1.8
>> --- MemoryRealm.java 2001/08/27 19:10:25 1.7
>> +++ MemoryRealm.java 2001/09/07 18:51:36 1.8
>> @@ -1,7 +1,7 @@
>> /*
>> - * $Header:
>>/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/cat
>>alina/realm/MemoryRealm.java,v 1.7 2001/08/27 19:10:25 craigmcc Exp $
>> - * $Revision: 1.7 $
>> - * $Date: 2001/08/27 19:10:25 $
>> + * $Header:
>>/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/cat
>>alina/realm/MemoryRealm.java,v 1.8 2001/09/07 18:51:36 ccain Exp $
>> + * $Revision: 1.8 $
>> + * $Date: 2001/09/07 18:51:36 $
>> *
>> *
>>====================================================================
>> *
>> @@ -95,7 +95,7 @@
>> * synchronization is performed around accesses to the
>>principals collection.
>> *
>> * @author Craig R. McClanahan
>> - * @version $Revision: 1.7 $ $Date: 2001/08/27 19:10:25 $
>> + * @version $Revision: 1.8 $ $Date: 2001/09/07 18:51:36 $
>> */
>>
>> public final class MemoryRealm
>> @@ -205,7 +205,7 @@
>> GenericPrincipal principal =
>> (GenericPrincipal) principals.get(username);
>> if ((principal != null) &&
>> -
>>(digest(credentials).equals(principal.getPassword()))) {
>> +
>>(digest(credentials).equalsIgnoreCase(principal.getPassword()))) {
>> if (debug >= 2)
>>
>>log(sm.getString("memoryRealm.authenticateSuccess", username));
>> return (principal);
>>
>>
>>
>>
>>
--
- Christopher
/**
* Pleurez, pleurez, mes yeux, et fondez vous en eau!
* La moitiƩ de ma vie a mis l'autre au tombeau.
* ---Corneille
*/
Re: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/
catalina/realm JDBCRealm.java JNDIRealm.java MemoryRealm.java
Posted by Pier Fumagalli <pi...@betaversion.org>.
"Ignacio J. Ortega" <na...@siapi.es> wrote:
> Hola Christopher:
>
> I think this change is not good, as it does *all* passwords case
> insensitive, regardles of the use of digest or not.., i think plain
> passwords need to be case sensitive ..
Good catch :)
Pier