You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2021/08/17 11:52:44 UTC
[tomcat] branch 10.0.x updated: Bugfix for 65479 -
PasswordValidationCallback does not return validation result in getResult
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.0.x by this push:
new 2609815 Bugfix for 65479 - PasswordValidationCallback does not return validation result in getResult
2609815 is described below
commit 26098150aa6c7562f9bff65effc27959aaef3648
Author: Robert Rodewald <r....@airitsystems.de>
AuthorDate: Mon Aug 2 11:27:08 2021 +0200
Bugfix for 65479 - PasswordValidationCallback does not return validation
result in getResult
---
.../apache/catalina/authenticator/jaspic/CallbackHandlerImpl.java | 1 +
.../authenticator/TestJaspicCallbackHandlerInAuthenticator.java | 2 ++
webapps/docs/changelog.xml | 7 +++++++
3 files changed, 10 insertions(+)
diff --git a/java/org/apache/catalina/authenticator/jaspic/CallbackHandlerImpl.java b/java/org/apache/catalina/authenticator/jaspic/CallbackHandlerImpl.java
index 59381a6..75d230f 100644
--- a/java/org/apache/catalina/authenticator/jaspic/CallbackHandlerImpl.java
+++ b/java/org/apache/catalina/authenticator/jaspic/CallbackHandlerImpl.java
@@ -80,6 +80,7 @@ public class CallbackHandlerImpl implements CallbackHandler, Contained {
PasswordValidationCallback pvc = (PasswordValidationCallback) callback;
principal = container.getRealm().authenticate(pvc.getUsername(),
String.valueOf(pvc.getPassword()));
+ pvc.setResult(principal != null);
subject = pvc.getSubject();
}
} else {
diff --git a/test/org/apache/catalina/authenticator/TestJaspicCallbackHandlerInAuthenticator.java b/test/org/apache/catalina/authenticator/TestJaspicCallbackHandlerInAuthenticator.java
index 807c49b..32d1475 100644
--- a/test/org/apache/catalina/authenticator/TestJaspicCallbackHandlerInAuthenticator.java
+++ b/test/org/apache/catalina/authenticator/TestJaspicCallbackHandlerInAuthenticator.java
@@ -116,9 +116,11 @@ public class TestJaspicCallbackHandlerInAuthenticator {
PasswordValidationCallback pvc1 = new PasswordValidationCallback(clientSubject, "name1",
"password".toCharArray());
callbackHandler.handle(new Callback[] { pvc1 });
+ Assert.assertTrue(pvc1.getResult());
PasswordValidationCallback pvc2 = new PasswordValidationCallback(clientSubject, "name2",
"invalid".toCharArray());
callbackHandler.handle(new Callback[] { pvc2 });
+ Assert.assertFalse(pvc2.getResult());
Set<Object> credentials = clientSubject.getPrivateCredentials();
Assert.assertTrue(credentials.size() == 1);
GenericPrincipal gp = (GenericPrincipal) credentials.iterator().next();
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index e7e1369..9162ebb 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -120,6 +120,13 @@
body is no longer sent. This acts as an additional signal to the client
that the request experienced an error. (markt)
</fix>
+ <fix>
+ <bug>65479</bug>: When handling requests using JASPIC authentication,
+ ensure that <code>PasswordValidationCallback.getResult()</code> returns
+ the result of the password validation rather than always returning
+ <code>false</code>. Fixed via pull request <pr>438</pr> provided by
+ Robert Rodewald. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org