DO NOT REPLY [Bug 6402] New: - JNDIRealm, LDAP and SHA passwords vs {SHA}Base64Coded= passwords

Tue, 12 Feb 2002 09:18:56 -0800 

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6402>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6402

JNDIRealm, LDAP and SHA passwords vs {SHA}Base64Coded= passwords

           Summary: JNDIRealm, LDAP and SHA passwords vs {SHA}Base64Coded=
                    passwords
           Product: Tomcat 4
           Version: 4.0.2 Final
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: Catalina
        AssignedTo: [EMAIL PROTECTED]
        ReportedBy: [EMAIL PROTECTED]
                CC: [EMAIL PROTECTED]


This is for a case of digest="SHA" set in JNDIRealm configuration during 
connections to a Netscape LDAP Directory that stores passwords in encrypted 
form.

Problem:
The Tomcat ( JNDIRealm.java ) uses the next code to check password, retrieved 
from LDAP server in JNDIRealm.java:
validated = (digest(credentials).equalsIgnoreCase(valueString));

The Netscape LDAP server stores passwords and returns them to Tomcat in a {SHA}
Base64Encoded= form - take a look at URL 
http://developer.netscape.com/tech/overview/index.html?
content=/docs/technote/ldap/pass_sha.html

Solution:
I propose to modify code of JNDIRealm so it will use some thing like this

        boolean validated = false;
        if (hasMessageDigest()) {
            if (valueString.startsWith("{SHA}") && Base64.isBase64
(valueString.substring(5))) {
              String testValue =
                HexUtils.convert(
                  Base64.decode(valueString.substring(5).getBytes())
                );
              validated = (digest(credentials).equalsIgnoreCase(testValue));
            } else {
              validated = (digest(credentials).equalsIgnoreCase(valueString));
            }
        } else
            validated = (digest(credentials).equals(valueString));

instead of old code (JNDIRealm.java version 1.5 starts from line 754)

        boolean validated = false;
        if (hasMessageDigest()) {
            // Hex hashes should be compared case-insensitive
            validated = (digest(credentials).equalsIgnoreCase(valueString));
        } else
            validated = (digest(credentials).equals(valueString));

wbr, iit.

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Reply via email to