[xfire-dev] [jira] Commented: (XFIRE-1034) CommonsHttpMessageSender doesn't reset AuthenticationPreemptive

Wed, 13 Jun 2007 01:55:39 -0700 

    [ 
http://jira.codehaus.org/browse/XFIRE-1034?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_99281
 ] 

Mike Wiesner commented on XFIRE-1034:
-------------------------------------

JIRA brokes the code formatting, so here the code again:

Actual code:

if(username != null)
{ 
client.getParams().setAuthenticationPreemptive(true); 
String password = (String) context.getContextualProperty(Channel.PASSWORD); 
state.setCredentials(AuthScope.ANY, getCredentials(username, password)); 
}

This should be appended:

else
{
client.getParams().setAuthenticationPreemptive(false); 
state.setCredentials(AuthScope.ANY, null); 
}


> CommonsHttpMessageSender doesn't reset AuthenticationPreemptive
> ---------------------------------------------------------------
>
>                 Key: XFIRE-1034
>                 URL: http://jira.codehaus.org/browse/XFIRE-1034
>             Project: XFire
>          Issue Type: Bug
>          Components: Core
>            Reporter: Mike Wiesner
>            Assignee: Dan Diephouse
>
> In the open method of CommonsHttpMessageSender the private method 
> getCredentials is called if the Property Channel.USERNAME is set. In this 
> method the setAuthenticationPreemptive of the underlaying Commons Http Client 
> is set, and it als returns the Credentials for Commons Http Client.
> If for some reason, maybe user logged out, the username isn't set any more, 
> the setAuthenticationPreemptive and the credentials in the Commons Http 
> Client aren't reseted, and therefore it still makes Basic Authentication, 
> which is a seriously security bug.
> Here is the actual code:
> if (username != null)
>         {
>             client.getParams().setAuthenticationPreemptive(true);
>             String password = (String) 
> context.getContextualProperty(Channel.PASSWORD);
>             state.setCredentials(AuthScope.ANY,  getCredentials(username, 
> password));            
>         }
> To enforce the reset there should also be an else condition like that:
>      else
>         {
>              client.getParams().setAuthenticationPreemptive(false);
>              state.setCredentials(AuthScope.ANY,  null);
>         }
> By the way, the method getCredentials shouldn't be private, so that you can 
> subclass it and set your own Credentials instance rather then only setting 
> username and password as Strings

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe from this list please visit:

    http://xircles.codehaus.org/manage_email

Reply via email to