[ https://issues.apache.org/jira/browse/GERONIMO-3404?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Vamsavardhana Reddy updated GERONIMO-3404: ------------------------------------------ Attachment: GERONIMO-3404.patch The problem is due to login() method in LoginModule implementations returning false incase of a failed login whereas it should actually be throwing a LoginException. GERONIMO-3404.patch: Changes the "return false" to "throw FailedLoginException()" incase of login failures. This problem should have been fixed as part of GERONIMO-1201. Now that this problem had surfaced, I would suggest that we review/revise this patch and other LoginModule implementors in the code to closely follow the JAAS Documentation http://java.sun.com/j2se/1.5.0/docs/guide/security/jaas/JAASLMDevGuide.html#login > Using a Null Username allows access to a running 2.0 server > ----------------------------------------------------------- > > Key: GERONIMO-3404 > URL: https://issues.apache.org/jira/browse/GERONIMO-3404 > Project: Geronimo > Issue Type: Bug > Security Level: public(Regular issues) > Components: security > Affects Versions: 2.0 > Environment: Released geronimo-tomcat6-jee5-2.0-bin.zip on WinXP and > on Linux > Reporter: Donald Woods > Priority: Critical > Fix For: 2.0.x, 2.1 > > Attachments: GERONIMO-3404.patch > > > I was just testing the geronimo-tomcat6-jee5-2.0-bin.zip on a new WinXP > machine and discovered that anyone can administer a Geronimo server (local or > remotely) if they enter a null Username when prompted by the deploy or > geronimo scripts. I verified that the <user_home>\.geronimo-deployer file > did not exist on the WinXP machine and on a Linux box I used to verify the > remote scenario.... -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.