[
https://issues.apache.org/jira/browse/QPID-474?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Martin Ritchie updated QPID-474:
--------------------------------
Summary: AmqPlain & Plain SaslServer don't check passwords (was:
PlainSaslServer doesn't check passwords)
> AmqPlain & Plain SaslServer don't check passwords
> -------------------------------------------------
>
> Key: QPID-474
> URL: https://issues.apache.org/jira/browse/QPID-474
> Project: Qpid
> Issue Type: Bug
> Affects Versions: M1, M2
> Reporter: Martin Ritchie
>
> This is a snippet from the evaluateresponse method
> String pwd = new String(response, authcidNullPosition + 1,
> passwordLen, "utf8");
> passwordCb.setPassword(pwd.toCharArray());
> AuthorizeCallback authzCb = new AuthorizeCallback(authzid,
> authzid);
> Callback[] callbacks = new Callback[]{nameCb, passwordCb,
> authzCb};
> _cbh.handle(callbacks);
> _complete = true;
> // the authzCb is allways set to true!!! see UsernamePasswordInitialiser
> // else if (callback instanceof AuthorizeCallback) {
> // ((AuthorizeCallback) callback).setAuthorized(true);
> // so this will always allow access.
> if (authzCb.isAuthorized())
> {
> _authorizationId = authzCb.getAuthenticationID();
> return null;
> }
> else
> {
> throw new SaslException("Authentication failed");
> }
> What needs to be done:
> This line is wrong:
> passwordCb.setPassword(pwd.toCharArray());
> This is done in the PrincipalDatabases
> So after the handle call
> passwordCb.getPassword() should be compared to pwd verifying the password is
> correct.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
