You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Jonah Beckford (JIRA)" <ji...@apache.org> on 2007/07/24 20:35:31 UTC
[jira] Created: (DIRSERVER-1007) SimpleAuthenticator rejects cached
one-way encrypted passwords
SimpleAuthenticator rejects cached one-way encrypted passwords
--------------------------------------------------------------
Key: DIRSERVER-1007
URL: https://issues.apache.org/jira/browse/DIRSERVER-1007
Project: Directory ApacheDS
Issue Type: Bug
Affects Versions: 1.5.0
Reporter: Jonah Beckford
Priority: Minor
Conditions
- userPassword is stored as {SHA} (or some other one-way encryption) in the DIT
- authentication request has password credentials sent in plain text
Behavior
- The first authentication request is successful.
- All subsequent requests fail
Cause
- The one-way encrypted password is stored in the credentialCache after the first request, and subsequent (plain text) requests don't match what is stored in the credentialCache
Fix
- Do the same match checking on each request, regardless whether in cache or not in cache
- Change SimpleAuthenticator::authenticate from:
if ( principal != null )
{
// Found ! Are the password equals ?
credentialsMatch = Arrays.equals( credentials, principal.getUserPassword() );
}
else
{
// Not found :(...
// Get the user password from the backend
byte[] userPassword = lookupUserPassword( principalDn );
... BLOCK # 1 ...
}
to:
// Get the user password (from the backend if not in the cache)
byte[] userPassword = null;
if (principal == null)
userPassword = lookupUserPassword(principalDn);
else
userPassword = principal.getUserPassword();
... BLOCK # 1 ...
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (DIRSERVER-1007) SimpleAuthenticator rejects cached
one-way encrypted passwords
Posted by "Chris Custine (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-1007?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Chris Custine closed DIRSERVER-1007.
------------------------------------
Resolution: Duplicate
Fix Version/s: 1.5.1
This duplicates DIRSERVER-901 and has been fixed for 1.5.1.
> SimpleAuthenticator rejects cached one-way encrypted passwords
> --------------------------------------------------------------
>
> Key: DIRSERVER-1007
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1007
> Project: Directory ApacheDS
> Issue Type: Bug
> Affects Versions: 1.5.0
> Reporter: Jonah Beckford
> Priority: Minor
> Fix For: 1.5.1
>
>
> Conditions
> - userPassword is stored as {SHA} (or some other one-way encryption) in the DIT
> - authentication request has password credentials sent in plain text
> Behavior
> - The first authentication request is successful.
> - All subsequent requests fail
> Cause
> - The one-way encrypted password is stored in the credentialCache after the first request, and subsequent (plain text) requests don't match what is stored in the credentialCache
> Fix
> - Do the same match checking on each request, regardless whether in cache or not in cache
> - Change SimpleAuthenticator::authenticate from:
> if ( principal != null )
> {
> // Found ! Are the password equals ?
> credentialsMatch = Arrays.equals( credentials, principal.getUserPassword() );
> }
> else
> {
> // Not found :(...
> // Get the user password from the backend
> byte[] userPassword = lookupUserPassword( principalDn );
>
> ... BLOCK # 1 ...
> }
> to:
> // Get the user password (from the backend if not in the cache)
> byte[] userPassword = null;
> if (principal == null)
> userPassword = lookupUserPassword(principalDn);
> else
> userPassword = principal.getUserPassword();
> ... BLOCK # 1 ...
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.