[
https://issues.apache.org/jira/browse/QPID-1536?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Gemmell updated QPID-1536:
---------------------------------
Attachment: QPID-1536_22feb2009.patch
I attach QPID-1536_22feb2009.patch to resolve this. It should be applied after
QPID-1537.
The patch converts the B64MD5 PD to accept plain text input on all methods
requiring the password, and obviously retains the MD5-hashed output as
previously existed since the plain version is generally unknown.
The initial changes to the DB are similar to the changes committed previously
for this JIRA in December, but when examining those changes I noticed an issue
with the previous implementation that I have made further additions to correct.
I made additions to the B64MD5 PD Test while validating the problem and testing
the solution. The patch also modifies the JMX RMI authentication mechanism to
make use of the verifyPassword() method of the PD's instead of performing its
own local hashing. Finally, the management console is updated accordingly, to
send plain text for version2 user management mbeans, and hashed passwords for
version1 mbeans (which works becase the PlainPD paired with beans of that
versions cannot be updated).
The issue I found was that whilst the saved file correctly reflected the MD5
hashed Base64 encoded password, for any account created using the
UserManagement area of the management console the broker would hold the plain
text password in memory and return that as the password when requested, until
the broker was restarted or the user data was reloaded, at which point the MD5
encoded version would be read in from file and used. Additionally this was a
problem when updating passwords in the PD, as it retains the old password
during the process and in the event of issue with saving the new password file
puts the old password back in memory, which was a problem because it would be
taking an MD5 hashed output and giving it back to a method expecting plain
text. I addressed this by adding a boolean to the setPassword method in the
HashedUser class to indicate whether the input being provided was already
hashed or not.
> Convert Base64MD5PFPD to expect plain text passwords.
> -----------------------------------------------------
>
> Key: QPID-1536
> URL: https://issues.apache.org/jira/browse/QPID-1536
> Project: Qpid
> Issue Type: Improvement
> Components: Java Broker
> Affects Versions: M3
> Reporter: Martin Ritchie
> Priority: Minor
> Attachments: QPID-1536_22feb2009.patch
>
>
> Summary:
> If we are to have any hope of a consistent interface for User Management we
> need all the back end databases to take the same input. Currently the
> Base64MD5 version expects to receive the password already hashed. This is not
> sensible and it should do the hashing itself.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:[email protected]
