ccain 01/09/07 13:45:13
Modified: catalina/src/share/org/apache/catalina/realm JDBCRealm.java
JNDIRealm.java MemoryRealm.java RealmBase.java
Log:
Backs out the previous case-insensitive mod, which would have checked
non-hashed realm passwords case-insensitive as well. This correctly
returns non-hashed realm passwords to case-sensitive comparison, while
leaving hex comparisons insensitive.
Now I'm going to go write 'I will always follow code paths through to
their conclusion before committing' 100 times on the blackboard, then
it's straight to bed with no desert. =)
Revision Changes Path
1.19 +9 -2
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/JDBCRealm.java
Index: JDBCRealm.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/JDBCRealm.java,v
retrieving revision 1.18
retrieving revision 1.19
diff -u -r1.18 -r1.19
--- JDBCRealm.java 2001/09/07 18:51:36 1.18
+++ JDBCRealm.java 2001/09/07 20:45:12 1.19
@@ -95,7 +95,7 @@
* @author Craig R. McClanahan
* @author Carson McDonald
* @author Ignacio Ortega
-* @version $Revision: 1.18 $ $Date: 2001/09/07 18:51:36 $
+* @version $Revision: 1.19 $ $Date: 2001/09/07 20:45:12 $
*/
public class JDBCRealm
@@ -384,7 +384,14 @@
}
// Validate the user's credentials
- if (digest(credentials).equalsIgnoreCase(dbCredentials)) {
+ boolean validated = false;
+ if (hasMessageDigest()) {
+ // Hex hashes should be compared case-insensitive
+ validated = (digest(credentials).equalsIgnoreCase(dbCredentials));
+ } else
+ validated = (digest(credentials).equals(dbCredentials));
+
+ if (validated) {
if (debug >= 2)
log(sm.getString("jdbcRealm.authenticateSuccess",
username));
1.5 +10 -2
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/JNDIRealm.java
Index: JNDIRealm.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/JNDIRealm.java,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- JNDIRealm.java 2001/09/07 18:51:36 1.4
+++ JNDIRealm.java 2001/09/07 20:45:12 1.5
@@ -144,7 +144,7 @@
*
* @author John Holman
* @author Craig R. McClanahan
- * @version $Revision: 1.4 $ $Date: 2001/09/07 18:51:36 $
+ * @version $Revision: 1.5 $ $Date: 2001/09/07 20:45:12 $
*/
public class JNDIRealm extends RealmBase {
@@ -750,7 +750,15 @@
// Validate the credentials specified by the user
if (debug >= 3)
log(" validating credentials");
- if (digest(credentials).equalsIgnoreCase(valueString)) {
+
+ boolean validated = false;
+ if (hasMessageDigest()) {
+ // Hex hashes should be compared case-insensitive
+ validated = (digest(credentials).equalsIgnoreCase(valueString));
+ } else
+ validated = (digest(credentials).equals(valueString));
+
+ if (validated) {
if (debug >= 2)
log(sm.getString("jndiRealm.authenticateSuccess",
username));
1.9 +13 -6
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/MemoryRealm.java
Index: MemoryRealm.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/MemoryRealm.java,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- MemoryRealm.java 2001/09/07 18:51:36 1.8
+++ MemoryRealm.java 2001/09/07 20:45:12 1.9
@@ -1,7 +1,7 @@
/*
- * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/MemoryRealm.java,v
1.8 2001/09/07 18:51:36 ccain Exp $
- * $Revision: 1.8 $
- * $Date: 2001/09/07 18:51:36 $
+ * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/MemoryRealm.java,v
1.9 2001/09/07 20:45:12 ccain Exp $
+ * $Revision: 1.9 $
+ * $Date: 2001/09/07 20:45:12 $
*
* ====================================================================
*
@@ -95,7 +95,7 @@
* synchronization is performed around accesses to the principals collection.
*
* @author Craig R. McClanahan
- * @version $Revision: 1.8 $ $Date: 2001/09/07 18:51:36 $
+ * @version $Revision: 1.9 $ $Date: 2001/09/07 20:45:12 $
*/
public final class MemoryRealm
@@ -204,8 +204,15 @@
GenericPrincipal principal =
(GenericPrincipal) principals.get(username);
- if ((principal != null) &&
- (digest(credentials).equalsIgnoreCase(principal.getPassword()))) {
+
+ boolean validated = false;
+ if (hasMessageDigest()) {
+ // Hex hashes should be compared care-insensitive
+ validated =
(digest(credentials).equalsIgnoreCase(principal.getPassword()));
+ } else
+ validated = (digest(credentials).equals(principal.getPassword()));
+
+ if ((principal != null) && validated) {
if (debug >= 2)
log(sm.getString("memoryRealm.authenticateSuccess", username));
return (principal);
1.7 +8 -5
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/RealmBase.java
Index: RealmBase.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/RealmBase.java,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- RealmBase.java 2001/09/06 03:43:11 1.6
+++ RealmBase.java 2001/09/07 20:45:12 1.7
@@ -1,7 +1,7 @@
/*
- * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/RealmBase.java,v
1.6 2001/09/06 03:43:11 craigmcc Exp $
- * $Revision: 1.6 $
- * $Date: 2001/09/06 03:43:11 $
+ * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/RealmBase.java,v
1.7 2001/09/07 20:45:12 ccain Exp $
+ * $Revision: 1.7 $
+ * $Date: 2001/09/07 20:45:12 $
*
* ====================================================================
*
@@ -95,7 +95,7 @@
* location) are identical to those currently supported by Tomcat 3.X.
*
* @author Craig R. McClanahan
- * @version $Revision: 1.6 $ $Date: 2001/09/06 03:43:11 $
+ * @version $Revision: 1.7 $ $Date: 2001/09/07 20:45:12 $
*/
public abstract class RealmBase
@@ -571,7 +571,7 @@
protected String digest(String credentials) {
// If no MessageDigest instance is specified, return unchanged
- if (md == null)
+ if (hasMessageDigest() == false)
return (credentials);
// Digest the user credentials and return as hexadecimal
@@ -588,6 +588,9 @@
}
+ protected boolean hasMessageDigest() {
+ return !(md == null);
+ }
/**
* Return the digest associated with given principal's user name.
