You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mina.apache.org by "Oleg Gorobchuk (JIRA)" <ji...@apache.org> on 2008/11/19 15:50:44 UTC
[jira] Issue Comment Edited: (FTPSERVER-220) does not processed
correct user's empty password
[ https://issues.apache.org/jira/browse/FTPSERVER-220?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12649060#action_12649060 ]
olegg edited comment on FTPSERVER-220 at 11/19/08 6:50 AM:
--------------------------------------------------------------------
the class org.apache.ftpserver.usermanager.impl.PropertiesUserManager
in the method authenticate(Authentication)
contains code for extracting declared user's password and condition for checking this value.
code :
String storedPassword = userDataProp.getProperty(PREFIX + user
+ '.' + ATTR_PASSWORD);
if (storedPassword == null) {
// user does not exist
throw new AuthenticationFailedException("Authentication failed");
}
this code produces AuthenticationFailedException in the case of declaring empty user's password.
Imho, if aim of condition check of existing user (according to comment) more correctly use following condition
if (!doesExist(user)) {
// user does not exist
throw new AuthenticationFailedException("Authentication failed");
}
this case will check that user exists without links to password
Current implementation of PropertiesUserManager does not allow using user's empty password for case of configured encrypting mode "clear".
was (Author: olegg):
the class org.apache.ftpserver.usermanager.impl.PropertiesUserManager
in the method authenticate(Authentication)
contains code for extracting declared user's password and condition for checking this value.
code :
String storedPassword = userDataProp.getProperty(PREFIX + user
+ '.' + ATTR_PASSWORD);
if (storedPassword == null) {
// user does not exist
throw new AuthenticationFailedException("Authentication failed");
}
this code produces AuthenticationFailedException in the case of declaring empty user's password.
Imho, if aim of condition check of existing user (according to comment) more correctly use following condition
if (!doesExist(user)) {
// user does not exist
throw new AuthenticationFailedException("Authentication failed");
}
this case will check that user exists without links to password
Current implementation of PropertiesUserManager does not allow using user's empty password for case of configured encrypted mode "clear".
> does not processed correct user's empty password
> ------------------------------------------------
>
> Key: FTPSERVER-220
> URL: https://issues.apache.org/jira/browse/FTPSERVER-220
> Project: FtpServer
> Issue Type: Bug
> Components: Server
> Affects Versions: 1.0-M3
> Reporter: Oleg Gorobchuk
> Assignee: Niklas Gustavsson
> Fix For: 1.0-M4
>
>
> In the case if user has declared empty password server does not allow to connect user.
> Empty password does not processed for normal user and "anonymous" and for all encrypted modes.
> Sources of problem.
> 1. command PASS blocked using empty password since in this case request contains NULL instead password value and command generates error 501
> 2. In the case of using properties way of user management
> the class PropertiesUserManager, for case of configured empty password, makes decision that user does not exist.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.