cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm JDBCRealm.java JNDIRealm.java MemoryRealm.java
ccain 01/09/07 11:51:36
Modified:catalina/src/share/org/apache/catalina/realm JDBCRealm.java
JNDIRealm.java MemoryRealm.java
Log:
Change comparison of hex digests (in authentication) to be
case-insensitive, as base16 values themselves are case-insensitive.
Revision ChangesPath
1.18 +2 -2
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/JDBCRealm.java
Index: JDBCRealm.java
===
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/JDBCRealm.java,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- JDBCRealm.java2001/09/06 03:43:11 1.17
+++ JDBCRealm.java2001/09/07 18:51:36 1.18
@@ -95,7 +95,7 @@
* @author Craig R. McClanahan
* @author Carson McDonald
* @author Ignacio Ortega
-* @version $Revision: 1.17 $ $Date: 2001/09/06 03:43:11 $
+* @version $Revision: 1.18 $ $Date: 2001/09/07 18:51:36 $
*/
public class JDBCRealm
@@ -384,7 +384,7 @@
}
// Validate the user's credentials
-if (digest(credentials).equals(dbCredentials)) {
+if (digest(credentials).equalsIgnoreCase(dbCredentials)) {
if (debug = 2)
log(sm.getString(jdbcRealm.authenticateSuccess,
username));
1.4 +2 -2
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/JNDIRealm.java
Index: JNDIRealm.java
===
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/JNDIRealm.java,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- JNDIRealm.java2001/09/06 03:43:11 1.3
+++ JNDIRealm.java2001/09/07 18:51:36 1.4
@@ -144,7 +144,7 @@
*
* @author John Holman
* @author Craig R. McClanahan
- * @version $Revision: 1.3 $ $Date: 2001/09/06 03:43:11 $
+ * @version $Revision: 1.4 $ $Date: 2001/09/07 18:51:36 $
*/
public class JNDIRealm extends RealmBase {
@@ -750,7 +750,7 @@
// Validate the credentials specified by the user
if (debug = 3)
log( validating credentials);
-if (digest(credentials).equals(valueString)) {
+if (digest(credentials).equalsIgnoreCase(valueString)) {
if (debug = 2)
log(sm.getString(jndiRealm.authenticateSuccess,
username));
1.8 +5 -5
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/MemoryRealm.java
Index: MemoryRealm.java
===
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/MemoryRealm.java,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- MemoryRealm.java 2001/08/27 19:10:25 1.7
+++ MemoryRealm.java 2001/09/07 18:51:36 1.8
@@ -1,7 +1,7 @@
/*
- * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/MemoryRealm.java,v
1.7 2001/08/27 19:10:25 craigmcc Exp $
- * $Revision: 1.7 $
- * $Date: 2001/08/27 19:10:25 $
+ * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/MemoryRealm.java,v
1.8 2001/09/07 18:51:36 ccain Exp $
+ * $Revision: 1.8 $
+ * $Date: 2001/09/07 18:51:36 $
*
*
*
@@ -95,7 +95,7 @@
* synchronization is performed around accesses to the principals collection.
*
* @author Craig R. McClanahan
- * @version $Revision: 1.7 $ $Date: 2001/08/27 19:10:25 $
+ * @version $Revision: 1.8 $ $Date: 2001/09/07 18:51:36 $
*/
public final class MemoryRealm
@@ -205,7 +205,7 @@
GenericPrincipal principal =
(GenericPrincipal) principals.get(username);
if ((principal != null)
-(digest(credentials).equals(principal.getPassword( {
+(digest(credentials).equalsIgnoreCase(principal.getPassword( {
if (debug = 2)
log(sm.getString(memoryRealm.authenticateSuccess, username));
return (principal);
RE: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm JDBCRealm.java JNDIRealm.java MemoryRealm.java
Hola Christopher:
I think this change is not good, as it does *all* passwords case
insensitive, regardles of the use of digest or not.., i think plain
passwords need to be case sensitive ..
Saludos ,
Ignacio J. Ortega
-Mensaje original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Enviado el: viernes 7 de septiembre de 2001 20:52
Para: [EMAIL PROTECTED]
Asunto: cvs commit:
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm
JDBCRealm.java JNDIRealm.java MemoryRealm.java
ccain 01/09/07 11:51:36
Modified:catalina/src/share/org/apache/catalina/realm
JDBCRealm.java
JNDIRealm.java MemoryRealm.java
Log:
Change comparison of hex digests (in authentication) to be
case-insensitive, as base16 values themselves are case-insensitive.
Revision ChangesPath
1.18 +2 -2
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/real
m/JDBCRealm.java
Index: JDBCRealm.java
===
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/cat
alina/realm/JDBCRealm.java,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- JDBCRealm.java 2001/09/06 03:43:11 1.17
+++ JDBCRealm.java 2001/09/07 18:51:36 1.18
@@ -95,7 +95,7 @@
* @author Craig R. McClanahan
* @author Carson McDonald
* @author Ignacio Ortega
-* @version $Revision: 1.17 $ $Date: 2001/09/06 03:43:11 $
+* @version $Revision: 1.18 $ $Date: 2001/09/07 18:51:36 $
*/
public class JDBCRealm
@@ -384,7 +384,7 @@
}
// Validate the user's credentials
-if (digest(credentials).equals(dbCredentials)) {
+if (digest(credentials).equalsIgnoreCase(dbCredentials)) {
if (debug = 2)
log(sm.getString(jdbcRealm.authenticateSuccess,
username));
1.4 +2 -2
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/real
m/JNDIRealm.java
Index: JNDIRealm.java
===
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/cat
alina/realm/JNDIRealm.java,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- JNDIRealm.java 2001/09/06 03:43:11 1.3
+++ JNDIRealm.java 2001/09/07 18:51:36 1.4
@@ -144,7 +144,7 @@
*
* @author John Holman
* @author Craig R. McClanahan
- * @version $Revision: 1.3 $ $Date: 2001/09/06 03:43:11 $
+ * @version $Revision: 1.4 $ $Date: 2001/09/07 18:51:36 $
*/
public class JNDIRealm extends RealmBase {
@@ -750,7 +750,7 @@
// Validate the credentials specified by the user
if (debug = 3)
log( validating credentials);
-if (digest(credentials).equals(valueString)) {
+if (digest(credentials).equalsIgnoreCase(valueString)) {
if (debug = 2)
log(sm.getString(jndiRealm.authenticateSuccess,
username));
1.8 +5 -5
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/real
m/MemoryRealm.java
Index: MemoryRealm.java
===
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/cat
alina/realm/MemoryRealm.java,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- MemoryRealm.java2001/08/27 19:10:25 1.7
+++ MemoryRealm.java2001/09/07 18:51:36 1.8
@@ -1,7 +1,7 @@
/*
- * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/cat
alina/realm/MemoryRealm.java,v 1.7 2001/08/27 19:10:25 craigmcc Exp $
- * $Revision: 1.7 $
- * $Date: 2001/08/27 19:10:25 $
+ * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/cat
alina/realm/MemoryRealm.java,v 1.8 2001/09/07 18:51:36 ccain Exp $
+ * $Revision: 1.8 $
+ * $Date: 2001/09/07 18:51:36 $
*
*
*
@@ -95,7 +95,7 @@
* synchronization is performed around accesses to the
principals collection.
*
* @author Craig R. McClanahan
- * @version $Revision: 1.7 $ $Date: 2001/08/27 19:10:25 $
+ * @version $Revision: 1.8 $ $Date: 2001/09/07 18:51:36 $
*/
public final class MemoryRealm
@@ -205,7 +205,7 @@
GenericPrincipal principal =
(GenericPrincipal) principals.get(username);
if ((principal != null)
-
(digest(credentials).equals(principal.getPassword( {
+
(digest(credentials).equalsIgnoreCase(principal.getPassword( {
if (debug = 2)
log(sm.getString
Re: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/ catalina/realm JDBCRealm.java JNDIRealm.java MemoryRealm.java
You're right ... d'oh! I assumed that a method called digest returned
a digest. I guess I should not assume so often =)
My bad ... but in some slight manor of defense, that method call is
poorly named :)
I'll repair this immediately.
- Christopher
Ignacio J. Ortega wrote:
Hola Christopher:
I think this change is not good, as it does *all* passwords case
insensitive, regardles of the use of digest or not.., i think plain
passwords need to be case sensitive ..
Saludos ,
Ignacio J. Ortega
-Mensaje original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Enviado el: viernes 7 de septiembre de 2001 20:52
Para: [EMAIL PROTECTED]
Asunto: cvs commit:
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm
JDBCRealm.java JNDIRealm.java MemoryRealm.java
ccain 01/09/07 11:51:36
Modified:catalina/src/share/org/apache/catalina/realm
JDBCRealm.java
JNDIRealm.java MemoryRealm.java
Log:
Change comparison of hex digests (in authentication) to be
case-insensitive, as base16 values themselves are case-insensitive.
Revision ChangesPath
1.18 +2 -2
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/real
m/JDBCRealm.java
Index: JDBCRealm.java
===
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/cat
alina/realm/JDBCRealm.java,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- JDBCRealm.java 2001/09/06 03:43:11 1.17
+++ JDBCRealm.java 2001/09/07 18:51:36 1.18
@@ -95,7 +95,7 @@
* @author Craig R. McClanahan
* @author Carson McDonald
* @author Ignacio Ortega
-* @version $Revision: 1.17 $ $Date: 2001/09/06 03:43:11 $
+* @version $Revision: 1.18 $ $Date: 2001/09/07 18:51:36 $
*/
public class JDBCRealm
@@ -384,7 +384,7 @@
}
// Validate the user's credentials
-if (digest(credentials).equals(dbCredentials)) {
+if (digest(credentials).equalsIgnoreCase(dbCredentials)) {
if (debug = 2)
log(sm.getString(jdbcRealm.authenticateSuccess,
username));
1.4 +2 -2
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/real
m/JNDIRealm.java
Index: JNDIRealm.java
===
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/cat
alina/realm/JNDIRealm.java,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- JNDIRealm.java 2001/09/06 03:43:11 1.3
+++ JNDIRealm.java 2001/09/07 18:51:36 1.4
@@ -144,7 +144,7 @@
*
* @author John Holman
* @author Craig R. McClanahan
- * @version $Revision: 1.3 $ $Date: 2001/09/06 03:43:11 $
+ * @version $Revision: 1.4 $ $Date: 2001/09/07 18:51:36 $
*/
public class JNDIRealm extends RealmBase {
@@ -750,7 +750,7 @@
// Validate the credentials specified by the user
if (debug = 3)
log( validating credentials);
-if (digest(credentials).equals(valueString)) {
+if (digest(credentials).equalsIgnoreCase(valueString)) {
if (debug = 2)
log(sm.getString(jndiRealm.authenticateSuccess,
username));
1.8 +5 -5
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/real
m/MemoryRealm.java
Index: MemoryRealm.java
===
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/cat
alina/realm/MemoryRealm.java,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- MemoryRealm.java2001/08/27 19:10:25 1.7
+++ MemoryRealm.java2001/09/07 18:51:36 1.8
@@ -1,7 +1,7 @@
/*
- * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/cat
alina/realm/MemoryRealm.java,v 1.7 2001/08/27 19:10:25 craigmcc Exp $
- * $Revision: 1.7 $
- * $Date: 2001/08/27 19:10:25 $
+ * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/cat
alina/realm/MemoryRealm.java,v 1.8 2001/09/07 18:51:36 ccain Exp $
+ * $Revision: 1.8 $
+ * $Date: 2001/09/07 18:51:36 $
*
*
*
@@ -95,7 +95,7 @@
* synchronization is performed around accesses to the
principals collection.
*
* @author Craig R. McClanahan
- * @version $Revision: 1.7 $ $Date: 2001/08/27 19:10:25 $
+ * @version $Revision: 1.8 $ $Date: 2001/09/07 18:51:36 $
*/
public final class MemoryRealm
@@ -205,7 +205,7 @@
GenericPrincipal principal =
(GenericPrincipal) principals.get(username);
if ((principal != null)
-
(digest(credentials).equals(principal.getPassword
Re: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm JDBCRealm.java JNDIRealm.java MemoryRealm.java
Ignacio J. Ortega [EMAIL PROTECTED] wrote: Hola Christopher: I think this change is not good, as it does *all* passwords case insensitive, regardles of the use of digest or not.., i think plain passwords need to be case sensitive .. Good catch :) Pier
RE: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/ catalina/realm JDBCRealm.java JNDIRealm.java MemoryRealm.java
You're right ... d'oh! I assumed that a method called digest returned a digest. I guess I should not assume so often =) My bad ... but in some slight manor of defense, that method call is poorly named :) We can change it to a more apropiate digestedOrNot : Saludos , Ignacio J. Ortega
cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm JDBCRealm.java JNDIRealm.java MemoryRealm.java RealmBase.java
ccain 01/09/07 13:45:13
Modified:catalina/src/share/org/apache/catalina/realm JDBCRealm.java
JNDIRealm.java MemoryRealm.java RealmBase.java
Log:
Backs out the previous case-insensitive mod, which would have checked
non-hashed realm passwords case-insensitive as well. This correctly
returns non-hashed realm passwords to case-sensitive comparison, while
leaving hex comparisons insensitive.
Now I'm going to go write 'I will always follow code paths through to
their conclusion before committing' 100 times on the blackboard, then
it's straight to bed with no desert. =)
Revision ChangesPath
1.19 +9 -2
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/JDBCRealm.java
Index: JDBCRealm.java
===
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/JDBCRealm.java,v
retrieving revision 1.18
retrieving revision 1.19
diff -u -r1.18 -r1.19
--- JDBCRealm.java2001/09/07 18:51:36 1.18
+++ JDBCRealm.java2001/09/07 20:45:12 1.19
@@ -95,7 +95,7 @@
* @author Craig R. McClanahan
* @author Carson McDonald
* @author Ignacio Ortega
-* @version $Revision: 1.18 $ $Date: 2001/09/07 18:51:36 $
+* @version $Revision: 1.19 $ $Date: 2001/09/07 20:45:12 $
*/
public class JDBCRealm
@@ -384,7 +384,14 @@
}
// Validate the user's credentials
-if (digest(credentials).equalsIgnoreCase(dbCredentials)) {
+boolean validated = false;
+if (hasMessageDigest()) {
+// Hex hashes should be compared case-insensitive
+validated = (digest(credentials).equalsIgnoreCase(dbCredentials));
+} else
+validated = (digest(credentials).equals(dbCredentials));
+
+if (validated) {
if (debug = 2)
log(sm.getString(jdbcRealm.authenticateSuccess,
username));
1.5 +10 -2
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/JNDIRealm.java
Index: JNDIRealm.java
===
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/JNDIRealm.java,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- JNDIRealm.java2001/09/07 18:51:36 1.4
+++ JNDIRealm.java2001/09/07 20:45:12 1.5
@@ -144,7 +144,7 @@
*
* @author John Holman
* @author Craig R. McClanahan
- * @version $Revision: 1.4 $ $Date: 2001/09/07 18:51:36 $
+ * @version $Revision: 1.5 $ $Date: 2001/09/07 20:45:12 $
*/
public class JNDIRealm extends RealmBase {
@@ -750,7 +750,15 @@
// Validate the credentials specified by the user
if (debug = 3)
log( validating credentials);
-if (digest(credentials).equalsIgnoreCase(valueString)) {
+
+boolean validated = false;
+if (hasMessageDigest()) {
+// Hex hashes should be compared case-insensitive
+validated = (digest(credentials).equalsIgnoreCase(valueString));
+} else
+validated = (digest(credentials).equals(valueString));
+
+if (validated) {
if (debug = 2)
log(sm.getString(jndiRealm.authenticateSuccess,
username));
1.9 +13 -6
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/MemoryRealm.java
Index: MemoryRealm.java
===
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/MemoryRealm.java,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- MemoryRealm.java 2001/09/07 18:51:36 1.8
+++ MemoryRealm.java 2001/09/07 20:45:12 1.9
@@ -1,7 +1,7 @@
/*
- * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/MemoryRealm.java,v
1.8 2001/09/07 18:51:36 ccain Exp $
- * $Revision: 1.8 $
- * $Date: 2001/09/07 18:51:36 $
+ * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/MemoryRealm.java,v
1.9 2001/09/07 20:45:12 ccain Exp $
+ * $Revision: 1.9 $
+ * $Date: 2001/09/07 20:45:12 $
*
*
*
@@ -95,7 +95,7 @@
* synchronization is performed around accesses to the principals collection.
*
* @author Craig R. McClanahan
- * @version $Revision: 1.8 $ $Date: 2001/09/07 18:51:36 $
+ * @version $Revision: 1.9 $ $Date: 2001/09/07 20:45:12 $
*/
public final class MemoryRealm
@@ -204,8 +204,15 @@
GenericPrincipal principal =
(GenericPrincipal) principals.get(username);
-if
Re: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/ catalina/realm JDBCRealm.java JNDIRealm.java MemoryRealm.java
Close ... I added a hasMessageDigest() method =) Also, I just realized that I was in such a hurry to get fixed code back into the tree, I forgot to give you credit on the commit log. As Pier said, that was an excellent catch ... you pulled my kahones out of the fire on that one :) I promise not to choke like that again for at least another ... oh ... week or so ;-) - Christopher /** * Pleurez, pleurez, mes yeux, et fondez vous en eau! * La moitiƩ de ma vie a mis l'autre au tombeau. *---Corneille */ Ignacio J. Ortega wrote: You're right ... d'oh! I assumed that a method called digest returned a digest. I guess I should not assume so often =) My bad ... but in some slight manor of defense, that method call is poorly named :) We can change it to a more apropiate digestedOrNot : Saludos , Ignacio J. Ortega
