You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2002/07/11 04:03:08 UTC

DO NOT REPLY [Bug 10623] - JDBCRealm lacks one DB commit, preventing sucessfull authentication under certain circunstances

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10623>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10623

JDBCRealm lacks one DB commit, preventing sucessfull authentication under certain circunstances

ricardo@agrafo.com changed:

------- Additional Comments From ricardo@agrafo.com 2002-07-11 02:03 -------
I've finnaly sorted it out. I couldn't reproduce the problem so it was very
dificult do figure it out. It afects JBDCRealm regardless of using a digest or not.

The problem is in org.apache.catalina.realm.JDBCRealm about line 402 in method
"authenticate".

The transaction is only commited if the credentials are validated, otherwise the
method returns without commiting the database transactions and thus will be
unaware of changes made to the database.

If a user forgets its password and a new one is inserted into the database, he
will never be able to login, unless someone else logs in, thus commiting the
transaction and making the changes visible to JDBCRealm.

Aparently tomcat uses two instances of JDBCRealm, so one has to insert a wrong
password twice, and them update the password in the database, in order to
reproduce the problem.

This seems very easy to solve. Wope it can be fixed for the next tomcat release.
Thanks. Keep up the excelent work.

--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>