I don't anything about this fix, but shouldn't you include a trim() before checking for a blank username/credential also?
Regards. ----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, June 11, 2002 4:32 PM Subject: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm JNDIRealm.java > remm 2002/06/11 08:32:28 > > Modified: catalina/src/share/org/apache/catalina/realm JNDIRealm.java > Log: > - Fix a security problem with the JNDI realm, where blank passwords could be > used to authenticate. > - As a result, blank passwords are not allowed with the JNDI realm anymore. > - Bugzilla 9700. > - The fix will be in 4.1.5. > - Patch submitted by <jemiller at uchicago.edu> > and John Holman <mailto:j.g.holman at qmul.ac.uk> > > Revision Changes Path > 1.8 +6 -5 jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/JNDIRealm.ja va > > Index: JNDIRealm.java > =================================================================== > RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/JN DIRealm.java,v > retrieving revision 1.7 > retrieving revision 1.8 > diff -u -r1.7 -r1.8 > --- JNDIRealm.java 9 Jun 2002 02:19:43 -0000 1.7 > +++ JNDIRealm.java 11 Jun 2002 15:32:28 -0000 1.8 > @@ -716,7 +716,8 @@ > String credentials) > throws NamingException { > > - if (username == null || credentials == null) > + if (username == null || username.equals("") > + || credentials == null || credentials.equals("")) > return (null); > > // Retrieve user information > > > > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>