svn commit: r1706745 - in /tomcat/trunk/java/org/apache/catalina/realm: JDBCRealm.java MemoryRealm.java RealmBase.java

Sun, 04 Oct 2015 21:15:54 -0700 

Author: schultz
Date: Mon Oct  5 04:15:24 2015
New Revision: 1706745

URL: http://svn.apache.org/viewvc?rev=1706745&view=rev
Log:
Perform null-checking on input and stored credentials before passing them off 
to CredentialHandlers for matching.

Modified:
    tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java
    tomcat/trunk/java/org/apache/catalina/realm/MemoryRealm.java
    tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java

Modified: tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java?rev=1706745&r1=1706744&r2=1706745&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java (original)
+++ tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java Mon Oct  5 
04:15:24 2015
@@ -386,6 +386,13 @@ public class JDBCRealm
         // Look up the user's credentials
         String dbCredentials = getPassword(username);
 
+        if (credentials == null || dbCredentials == null) {
+            if (containerLog.isTraceEnabled())
+                
containerLog.trace(sm.getString("jdbcRealm.authenticateFailure",
+                                                username));
+            return null;
+        }
+
         // Validate the user's credentials
         boolean validated = getCredentialHandler().matches(credentials, 
dbCredentials);
 

Modified: tomcat/trunk/java/org/apache/catalina/realm/MemoryRealm.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/MemoryRealm.java?rev=1706745&r1=1706744&r2=1706745&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/realm/MemoryRealm.java (original)
+++ tomcat/trunk/java/org/apache/catalina/realm/MemoryRealm.java Mon Oct  5 
04:15:24 2015
@@ -119,6 +119,11 @@ public class MemoryRealm  extends RealmB
         if (principal == null) {
             validated = false;
         } else {
+            if (credentials == null || principal.getPassword() == null) {
+                if (log.isDebugEnabled())
+                    log.debug(sm.getString("memoryRealm.authenticateFailure", 
username));
+                return (null);
+            }
             validated = getCredentialHandler().matches(credentials, 
principal.getPassword());
         }
 

Modified: tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java?rev=1706745&r1=1706744&r2=1706745&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java (original)
+++ tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java Mon Oct  5 
04:15:24 2015
@@ -305,6 +305,14 @@ public abstract class RealmBase extends
 
         String serverCredentials = getPassword(username);
 
+        if (credentials == null || serverCredentials == null) {
+            if (containerLog.isTraceEnabled()) {
+                
containerLog.trace(sm.getString("realmBase.authenticateFailure",
+                                                username));
+            }
+            return null;
+        }
+
         boolean validated = getCredentialHandler().matches(credentials, 
serverCredentials);
         if (!validated) {
             if (containerLog.isTraceEnabled()) {



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to