Author: markt
Date: Thu Sep 25 19:33:07 2014
New Revision: 1627607
URL: http://svn.apache.org/r1627607
Log:
Review comment 5 from schultz
Validate stored credential
Modified:
tomcat/trunk/java/org/apache/catalina/realm/CredentialHandlerBase.java
tomcat/trunk/java/org/apache/catalina/realm/LocalStrings.properties
tomcat/trunk/java/org/apache/catalina/realm/MessageDigestCredentialHandler.java
tomcat/trunk/java/org/apache/catalina/realm/PBECredentialHandler.java
Modified: tomcat/trunk/java/org/apache/catalina/realm/CredentialHandlerBase.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/CredentialHandlerBase.java?rev=1627607&r1=1627606&r2=1627607&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/realm/CredentialHandlerBase.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/realm/CredentialHandlerBase.java Thu
Sep 25 19:33:07 2014
@@ -21,6 +21,7 @@ import java.security.SecureRandom;
import java.util.Random;
import org.apache.catalina.CredentialHandler;
+import org.apache.juli.logging.Log;
import org.apache.tomcat.util.buf.HexUtils;
import org.apache.tomcat.util.res.StringManager;
@@ -96,6 +97,15 @@ public abstract class CredentialHandlerB
int sep1 = storedCredentials.indexOf('$');
int sep2 = storedCredentials.indexOf('$', sep1 + 1);
+ if (sep1 < 0 || sep2 < 0) {
+ // Stored credentials are invalid
+ // Logging credentials could be a security concern but they are
+ // invalid and that is a bigger problem
+
getLog().warn(sm.getString("credentialHandler.invalidStoredCredential",
+ storedCredentials));
+ return false;
+ }
+
String hexSalt = storedCredentials.substring(0, sep1);
int iterations = Integer.parseInt(storedCredentials.substring(sep1 +
1, sep2));
@@ -128,4 +138,10 @@ public abstract class CredentialHandlerB
* {@link CredentialHandler}.
*/
protected abstract int getDefaultIterations();
+
+
+ /**
+ * Obtain the logger for the CredentialHandler instance.
+ */
+ protected abstract Log getLog();
}
Modified: tomcat/trunk/java/org/apache/catalina/realm/LocalStrings.properties
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/LocalStrings.properties?rev=1627607&r1=1627606&r2=1627607&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/realm/LocalStrings.properties
(original)
+++ tomcat/trunk/java/org/apache/catalina/realm/LocalStrings.properties Thu Sep
25 19:33:07 2014
@@ -83,5 +83,6 @@ combinedRealm.addRealm=Add "{0}" realm,
combinedRealm.realmStartFail=Failed to start "{0}" realm
lockOutRealm.authLockedUser=An attempt was made to authenticate the locked
user "{0}"
lockOutRealm.removeWarning=User "{0}" was removed from the failed users cache
after {1} seconds to keep the cache size within the limit set
+credentialHandler.invalidStoredCredential=The invalid stored credential string
[{0}] was provided by the Realm to match with the user provided credentials
mdCredentialHandler.unknownEncoding=The encoding [{0}] is not supported so the
current setting of [{1}] will still be used
pbeCredentialHandler.invalidKeySpec=Unable to generate a password based key
\ No newline at end of file
Modified:
tomcat/trunk/java/org/apache/catalina/realm/MessageDigestCredentialHandler.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/MessageDigestCredentialHandler.java?rev=1627607&r1=1627606&r2=1627607&view=diff
==============================================================================
---
tomcat/trunk/java/org/apache/catalina/realm/MessageDigestCredentialHandler.java
(original)
+++
tomcat/trunk/java/org/apache/catalina/realm/MessageDigestCredentialHandler.java
Thu Sep 25 19:33:07 2014
@@ -178,4 +178,10 @@ public class MessageDigestCredentialHand
protected int getDefaultIterations() {
return DEFAULT_ITERATIONS;
}
+
+
+ @Override
+ protected Log getLog() {
+ return log;
+ }
}
Modified: tomcat/trunk/java/org/apache/catalina/realm/PBECredentialHandler.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/PBECredentialHandler.java?rev=1627607&r1=1627606&r2=1627607&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/realm/PBECredentialHandler.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/realm/PBECredentialHandler.java Thu
Sep 25 19:33:07 2014
@@ -90,4 +90,10 @@ public class PBECredentialHandler extend
protected int getDefaultIterations() {
return DEFAULT_ITERATIONS;
}
+
+
+ @Override
+ protected Log getLog() {
+ return log;
+ }
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
