In debug mode Properties file login module reurns loginsucceeded as true for
non existent users and null password
-----------------------------------------------------------------------------------------------------------------
Key: GERONIMO-4983
URL: https://issues.apache.org/jira/browse/GERONIMO-4983
Project: Geronimo
Issue Type: Bug
Security Level: public (Regular issues)
Affects Versions: 2.1.4, 2.2
Environment: windows Xp, eclipse
Reporter: Ashish Jain
Fix For: 2.2.1
While debugging one of the login fallback code I see that
PropertiesFileLoginModule.java returns loginsucceeded as true for a
non-existent user and null password.
This happens under the following use case.
In the BasicAuthenticator Code I have the following
String username=header.substring(10);
String password=null;
principal = context.getRealm().authenticate(username, password);
In the login method of PropertiesFileLoginModule as per the above usecase we
will have
realPassword as null and password as null as a result "if
(!checkPassword(realPassword, password))"
will be skipped and hence resulting in loginSucceeded=true.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
