You are viewing a plain text version of this content. The canonical link for it is here.
Posted to scm@geronimo.apache.org by dw...@apache.org on 2010/02/08 16:21:45 UTC
svn commit: r907687 -
/geronimo/server/branches/2.2/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/PropertiesFileLoginModule.java
Author: dwoods
Date: Mon Feb 8 15:21:45 2010
New Revision: 907687
URL: http://svn.apache.org/viewvc?rev=907687&view=rev
Log:
GERONIMO-5132 In debug mode Properties file login module reurns loginsucceeded as true for non existent users and null password. Patch contributed by Ashish Jain.
Modified:
geronimo/server/branches/2.2/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/PropertiesFileLoginModule.java
Modified: geronimo/server/branches/2.2/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/PropertiesFileLoginModule.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.2/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/PropertiesFileLoginModule.java?rev=907687&r1=907686&r2=907687&view=diff
==============================================================================
--- geronimo/server/branches/2.2/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/PropertiesFileLoginModule.java (original)
+++ geronimo/server/branches/2.2/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/PropertiesFileLoginModule.java Mon Feb 8 15:21:45 2010
@@ -193,8 +193,13 @@
throw new FailedLoginException();
}
String realPassword = users.getProperty(username);
- // Decrypt the password if needed, so we can compare it with the supplied one
- if (realPassword != null) {
+ if (realPassword == null || realPassword.equals("")) {
+ // Clear out the private state
+ username = null;
+ password = null;
+ throw new FailedLoginException();
+ } else {
+ // Decrypt the password if needed, so we can compare it with the supplied one
realPassword = (String) EncryptionManager.decrypt(realPassword);
}
char[] entered = ((PasswordCallback) callbacks[1]).getPassword();