[
https://issues.apache.org/jira/browse/DIRSERVER-868?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Emmanuel Lecharny closed DIRSERVER-868.
---------------------------------------
Fixed
> SimpleAuthenticator contains many potential pbs
> -----------------------------------------------
>
> Key: DIRSERVER-868
> URL: https://issues.apache.org/jira/browse/DIRSERVER-868
> Project: Directory ApacheDS
> Issue Type: Bug
> Affects Versions: 1.0.1, 1.5.0
> Reporter: Emmanuel Lecharny
> Assigned To: Emmanuel Lecharny
> Fix For: 1.5.0
>
>
> While analysing the Authenticator classes, I found that the
> SimpleAutheticator won't deal correctly with many potential cases :
> - The credentials stored in the java.naming.security.credentials may be a
> byte array, so transfming it to a String may simply fail
> - as we use a WeakHashMap to store some cached passwords, it would be good to
> check that the passward has correctly been got from the cache, not that the
> password exists in the cache then try to get it. We may have a null password
> in this case.
> - it may be possible that the user hasn't created a password. In this case,
> we will get an Authentication error because the password won't be found on
> the server, and the code is expecting to get something.
> - if the password is encrypted, it must be stored as a base 64 encoded String
> into the server, prefixed with the encryption mechanism. This is OK, but then
> we can compare passwords using a String comparizon, not a Arrays.equals() on
> byte arrays, as both elements are Strings.
> I might have missed some steps, or be wrong, so consider this JIRA as a
> reminder for the real issues.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
