PlainSaslServer doesn't check passwords
---------------------------------------
Key: QPID-474
URL: https://issues.apache.org/jira/browse/QPID-474
Project: Qpid
Issue Type: Bug
Affects Versions: M1, M2
Reporter: Martin Ritchie
This is a snippet from the evaluateresponse method
String pwd = new String(response, authcidNullPosition + 1,
passwordLen, "utf8");
passwordCb.setPassword(pwd.toCharArray());
AuthorizeCallback authzCb = new AuthorizeCallback(authzid, authzid);
Callback[] callbacks = new Callback[]{nameCb, passwordCb, authzCb};
_cbh.handle(callbacks);
_complete = true;
// the authzCb is allways set to true!!! see UsernamePasswordInitialiser
// else if (callback instanceof AuthorizeCallback) {
// ((AuthorizeCallback) callback).setAuthorized(true);
// so this will always allow access.
if (authzCb.isAuthorized())
{
_authorizationId = authzCb.getAuthenticationID();
return null;
}
else
{
throw new SaslException("Authentication failed");
}
What needs to be done:
This line is wrong:
passwordCb.setPassword(pwd.toCharArray());
This is done in the PrincipalDatabases
So after the handle call
passwordCb.getPassword() should be compared to pwd verifying the password is
correct.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
