ccain 01/09/07 13:45:13 Modified: catalina/src/share/org/apache/catalina/realm JDBCRealm.java JNDIRealm.java MemoryRealm.java RealmBase.java Log: Backs out the previous case-insensitive mod, which would have checked non-hashed realm passwords case-insensitive as well. This correctly returns non-hashed realm passwords to case-sensitive comparison, while leaving hex comparisons insensitive. Now I'm going to go write 'I will always follow code paths through to their conclusion before committing' 100 times on the blackboard, then it's straight to bed with no desert. =) Revision Changes Path 1.19 +9 -2 jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/JDBCRealm.java Index: JDBCRealm.java =================================================================== RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/JDBCRealm.java,v retrieving revision 1.18 retrieving revision 1.19 diff -u -r1.18 -r1.19 --- JDBCRealm.java 2001/09/07 18:51:36 1.18 +++ JDBCRealm.java 2001/09/07 20:45:12 1.19 @@ -95,7 +95,7 @@ * @author Craig R. McClanahan * @author Carson McDonald * @author Ignacio Ortega -* @version $Revision: 1.18 $ $Date: 2001/09/07 18:51:36 $ +* @version $Revision: 1.19 $ $Date: 2001/09/07 20:45:12 $ */ public class JDBCRealm @@ -384,7 +384,14 @@ } // Validate the user's credentials - if (digest(credentials).equalsIgnoreCase(dbCredentials)) { + boolean validated = false; + if (hasMessageDigest()) { + // Hex hashes should be compared case-insensitive + validated = (digest(credentials).equalsIgnoreCase(dbCredentials)); + } else + validated = (digest(credentials).equals(dbCredentials)); + + if (validated) { if (debug >= 2) log(sm.getString("jdbcRealm.authenticateSuccess", username)); 1.5 +10 -2 jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/JNDIRealm.java Index: JNDIRealm.java =================================================================== RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/JNDIRealm.java,v retrieving revision 1.4 retrieving revision 1.5 diff -u -r1.4 -r1.5 --- JNDIRealm.java 2001/09/07 18:51:36 1.4 +++ JNDIRealm.java 2001/09/07 20:45:12 1.5 @@ -144,7 +144,7 @@ * * @author John Holman * @author Craig R. McClanahan - * @version $Revision: 1.4 $ $Date: 2001/09/07 18:51:36 $ + * @version $Revision: 1.5 $ $Date: 2001/09/07 20:45:12 $ */ public class JNDIRealm extends RealmBase { @@ -750,7 +750,15 @@ // Validate the credentials specified by the user if (debug >= 3) log(" validating credentials"); - if (digest(credentials).equalsIgnoreCase(valueString)) { + + boolean validated = false; + if (hasMessageDigest()) { + // Hex hashes should be compared case-insensitive + validated = (digest(credentials).equalsIgnoreCase(valueString)); + } else + validated = (digest(credentials).equals(valueString)); + + if (validated) { if (debug >= 2) log(sm.getString("jndiRealm.authenticateSuccess", username)); 1.9 +13 -6 jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/MemoryRealm.java Index: MemoryRealm.java =================================================================== RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/MemoryRealm.java,v retrieving revision 1.8 retrieving revision 1.9 diff -u -r1.8 -r1.9 --- MemoryRealm.java 2001/09/07 18:51:36 1.8 +++ MemoryRealm.java 2001/09/07 20:45:12 1.9 @@ -1,7 +1,7 @@ /* - * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/MemoryRealm.java,v 1.8 2001/09/07 18:51:36 ccain Exp $ - * $Revision: 1.8 $ - * $Date: 2001/09/07 18:51:36 $ + * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/MemoryRealm.java,v 1.9 2001/09/07 20:45:12 ccain Exp $ + * $Revision: 1.9 $ + * $Date: 2001/09/07 20:45:12 $ * * ==================================================================== * @@ -95,7 +95,7 @@ * synchronization is performed around accesses to the principals collection. * * @author Craig R. McClanahan - * @version $Revision: 1.8 $ $Date: 2001/09/07 18:51:36 $ + * @version $Revision: 1.9 $ $Date: 2001/09/07 20:45:12 $ */ public final class MemoryRealm @@ -204,8 +204,15 @@ GenericPrincipal principal = (GenericPrincipal) principals.get(username); - if ((principal != null) && - (digest(credentials).equalsIgnoreCase(principal.getPassword()))) { + + boolean validated = false; + if (hasMessageDigest()) { + // Hex hashes should be compared care-insensitive + validated = (digest(credentials).equalsIgnoreCase(principal.getPassword())); + } else + validated = (digest(credentials).equals(principal.getPassword())); + + if ((principal != null) && validated) { if (debug >= 2) log(sm.getString("memoryRealm.authenticateSuccess", username)); return (principal); 1.7 +8 -5 jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/RealmBase.java Index: RealmBase.java =================================================================== RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/RealmBase.java,v retrieving revision 1.6 retrieving revision 1.7 diff -u -r1.6 -r1.7 --- RealmBase.java 2001/09/06 03:43:11 1.6 +++ RealmBase.java 2001/09/07 20:45:12 1.7 @@ -1,7 +1,7 @@ /* - * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/RealmBase.java,v 1.6 2001/09/06 03:43:11 craigmcc Exp $ - * $Revision: 1.6 $ - * $Date: 2001/09/06 03:43:11 $ + * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/RealmBase.java,v 1.7 2001/09/07 20:45:12 ccain Exp $ + * $Revision: 1.7 $ + * $Date: 2001/09/07 20:45:12 $ * * ==================================================================== * @@ -95,7 +95,7 @@ * location) are identical to those currently supported by Tomcat 3.X. * * @author Craig R. McClanahan - * @version $Revision: 1.6 $ $Date: 2001/09/06 03:43:11 $ + * @version $Revision: 1.7 $ $Date: 2001/09/07 20:45:12 $ */ public abstract class RealmBase @@ -571,7 +571,7 @@ protected String digest(String credentials) { // If no MessageDigest instance is specified, return unchanged - if (md == null) + if (hasMessageDigest() == false) return (credentials); // Digest the user credentials and return as hexadecimal @@ -588,6 +588,9 @@ } + protected boolean hasMessageDigest() { + return !(md == null); + } /** * Return the digest associated with given principal's user name.