Okay can you please guide me on how to log the bug. That would be great. If possible you could do it yourself also.
And as far as opinions go I really don't know. The whole process of Realms seem confusing to me and its overtly complicated. Thanks for testing out the issue. On Wed, Sep 9, 2015 at 7:25 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Sreyan, > > On 9/9/15 9:45 AM, Christopher Schultz wrote: > > On 9/7/15 2:17 PM, Sreyan Chakravarty wrote: > >> I have found the cause of the problem. It seems that there is no > >> null checking in the DataSourceRealm in Tomcat. What I mean is > >> that if a particular user does not exist in the database and is > >> credentials are returned as a null string then no null checking > >> is specified. > > > >> I would like to open this as a bug. > > > > https://bz.apache.org/bugzilla/enter_bug.cgi?product=Tomcat%208 > > > > Before you file a bug: > > > > 1. Make sure you test on Tomcat 8.0.26 2. Make sure you post a > > stack trace from the NPE 3. If you can provide a simple test-case, > > it would be helpful > > > >> The easiest solution is to write a custom Realm that provides > >> the null checking. The only problem is that now why am I not > >> being redirected to the error page if I provide a valid user with > >> a wrong password. > > > > If the authenticate() method returns false, then Tomcat should > > send the user to the form-error-page. It may not issue a redirect, > > but instead perform a forward. Is that a problem? > > > >> Please if anyone can tell me how to write a custom Realm then it > >> would be really appreciated. > > > > If this really is a bug, it should be fixed. I'm skeptical at this > > point, since nobody has reported this yet. It would be a fairly big > > bug. > > Confirmed by code inspection that Tomcat does not check the return > value from DataSourceRealm.getPassword. Exactly where the bug lies is > a matter of opinion: > > 1. DataSourceRealm blindly passes the stored credential to the > CredentialHandler > 2. MessageDigestCredentialHandler.matches() performs null-checking of > its arguments > 3. SecretKeyCredentialHandler.matches() does not perform such > null-checking > > I think it's appropriate for the entire system to waste a little time > performing the credential-checking algorithm when the username is > invalid because it mitigates timing-analysis used to perform user > enumeration. That could be done in each of the individual > CredentialHandler classes, or it could be done in the Realm itself. I > would argue it makes sense to do in the Realm, but the handler itself > could implement such a mechanism, too. > > Opinions are welcome. > > Please log the bug. > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJV8Do2AAoJEBzwKT+lPKRYNQEP/R1W9tPPrkmRCJMpy+JT63Y1 > GcUblu/0ho1xGd0/NQerpOrePJlAL94RPTkEBCw26DjHZOZ6ehYjgXHBApCIFmze > LIMlI/x1xe63YgYx19VTCmGv48kLJa97XuoDgHa0Uo2RrAvtG7SaoIiBbFGoI+ID > J+Ki0ntNvRZshrp4I9GvN9o+HpX19MVmW0Sj58P5a2DpdxwavF3gFRzgpkq8Rxdy > W+Unbpx4/klI5Gp1W/bp+5j5u8xAS0+KxtsWxzD9ujjHhCCteDqr+2xZVmv4pR3P > NUlHIdNa6ufOAP6TPM0eQTlFiyx2zRAAJlogCJ1jdYgWe2buaFvmPmFUG8q8JCLQ > ggdVhtYo4qT1NNr+C0JWvYpmE25IlQN462cIXbcLV43wTReVaNDeeaVWQgwZLiMa > 3TVS9C5UNGhSVKwPJriHsOECogaswA2fgJSUmDo25zaUAPTul7tT4TsxWbvKuTMI > QUhAwsm5kqWhv8j9SbphMkmTG2lBBJDczZlemdjHGxofO3dH6q0TtLeR/1ipy9MN > FML+r3P3D/l08pIPFbU1d2WT32Fvk77f2+x7Zijjx7XJH0gzZT3cGL4z3VtQPfFn > 6ulWUT6EMsW4g59NEsWyWUPwoQxdyzbXq3QTgygHslEC4vNlOmoewz3uCJLWm0Gd > MjZcERouuPKa+PiNJBuE > =l21+ > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
