You are viewing a plain text version of this content. The canonical link for it is here.

Posted to scm@geronimo.apache.org by dw...@apache.org on 2010/02/08 16:21:45 UTC

svn commit: r907687 - /geronimo/server/branches/2.2/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/PropertiesFileLoginModule.java

Author: dwoods
Date: Mon Feb  8 15:21:45 2010
New Revision: 907687

URL: http://svn.apache.org/viewvc?rev=907687&view=rev
Log:
GERONIMO-5132  In debug mode Properties file login module reurns loginsucceeded as true for non existent users and null password.  Patch contributed by Ashish Jain.

Modified:
    geronimo/server/branches/2.2/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/PropertiesFileLoginModule.java

Modified: geronimo/server/branches/2.2/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/PropertiesFileLoginModule.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.2/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/PropertiesFileLoginModule.java?rev=907687&r1=907686&r2=907687&view=diff
==============================================================================
--- geronimo/server/branches/2.2/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/PropertiesFileLoginModule.java (original)
+++ geronimo/server/branches/2.2/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/PropertiesFileLoginModule.java Mon Feb  8 15:21:45 2010
@@ -193,8 +193,13 @@
             throw new FailedLoginException();
         }
         String realPassword = users.getProperty(username);
-        // Decrypt the password if needed, so we can compare it with the supplied one
-        if (realPassword != null) {
+        if (realPassword == null || realPassword.equals("")) {
+            // Clear out the private state
+            username = null;
+            password = null;
+            throw new FailedLoginException();
+        } else {
+            // Decrypt the password if needed, so we can compare it with the supplied one
             realPassword = (String) EncryptionManager.decrypt(realPassword);
         }
         char[] entered = ((PasswordCallback) callbacks[1]).getPassword();