Author: jfrederic.clere(a)jboss.com Date: 2011-11-24 05:40:48 -0500 (Thu, 24 Nov 2011) New Revision: 1875 Modified: branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/catalina/users/MemoryUser.java branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/catalina/users/MemoryUserDatabase.java Log: Fix CVE-2011-2204. Prevent user passwords appearing in log files if a runtime exception (e.g. OOME) occurs while creating a new user for a MemoryUserDatabase via JMX. Modified: branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java =================================================================== --- branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java 2011-11-24 10:25:05 UTC (rev 1874) +++ branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java 2011-11-24 10:40:48 UTC (rev 1875) @@ -180,7 +180,7 @@ MBeanUtils.createMBean(group); } catch (Exception e) { IllegalArgumentException iae = new IllegalArgumentException - ("Exception creating group " + group + " MBean"); + ("Exception creating group [" + groupname + "] MBean"); iae.initCause(e); throw iae; } @@ -203,7 +203,7 @@ MBeanUtils.createMBean(role); } catch (Exception e) { IllegalArgumentException iae = new IllegalArgumentException - ("Exception creating role " + role + " MBean"); + ("Exception creating role [" + rolename + "] MBean"); iae.initCause(e); throw iae; } @@ -228,7 +228,7 @@ MBeanUtils.createMBean(user); } catch (Exception e) { IllegalArgumentException iae = new IllegalArgumentException - ("Exception creating user " + user + " MBean"); + ("Exception creating user [" + username + "] MBean"); iae.initCause(e); throw iae; } @@ -256,7 +256,7 @@ return (oname.toString()); } catch (MalformedObjectNameException e) { IllegalArgumentException iae = new IllegalArgumentException - ("Cannot create object name for group " + group); + ("Cannot create object name for group [" + groupname + "]"); iae.initCause(e); throw iae; } @@ -283,7 +283,7 @@ return (oname.toString()); } catch (MalformedObjectNameException e) { IllegalArgumentException iae = new IllegalArgumentException - ("Cannot create object name for role " + role); + ("Cannot create object name for role [" + rolename + "]"); iae.initCause(e); throw iae; } @@ -310,7 +310,7 @@ return (oname.toString()); } catch (MalformedObjectNameException e) { IllegalArgumentException iae = new IllegalArgumentException - ("Cannot create object name for user " + user); + ("Cannot create object name for user [" + username + "]"); iae.initCause(e); throw iae; } @@ -335,7 +335,7 @@ database.removeGroup(group); } catch (Exception e) { IllegalArgumentException iae = new IllegalArgumentException - ("Exception destroying group " + group + " MBean"); + ("Exception destroying group [" + groupname + "] MBean"); iae.initCause(e); throw iae; } @@ -360,7 +360,7 @@ database.removeRole(role); } catch (Exception e) { IllegalArgumentException iae = new IllegalArgumentException - ("Exception destroying role " + role + " MBean"); + ("Exception destroying role [" + rolename + "] MBean"); iae.initCause(e); throw iae; } @@ -385,7 +385,7 @@ database.removeUser(user); } catch (Exception e) { IllegalArgumentException iae = new IllegalArgumentException - ("Exception destroying user " + user + " MBean"); + ("Exception destroying user [" + username + "] MBean"); iae.initCause(e); throw iae; } Modified: branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/catalina/users/MemoryUser.java =================================================================== --- branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/catalina/users/MemoryUser.java 2011-11-24 10:25:05 UTC (rev 1874) +++ branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/catalina/users/MemoryUser.java 2011-11-24 10:40:48 UTC (rev 1875) @@ -246,7 +246,7 @@ * <code>username</code> or </code>name</code> for the username * property.</p> */ - public String toString() { + public String toXml() { StringBuffer sb = new StringBuffer("<user username=\""); sb.append(RequestUtil.filter(username)); @@ -293,5 +293,52 @@ } + /** + * <p>Return a String representation of this user.</p> + */ + @Override + public String toString() { + StringBuilder sb = new StringBuilder("User username=\""); + sb.append(RequestUtil.filter(username)); + sb.append("\""); + if (fullName != null) { + sb.append(", fullName=\""); + sb.append(RequestUtil.filter(fullName)); + sb.append("\""); + } + synchronized (groups) { + if (groups.size() > 0) { + sb.append(", groups=\""); + int n = 0; + Iterator<Group> values = groups.iterator(); + while (values.hasNext()) { + if (n > 0) { + sb.append(','); + } + n++; + sb.append(RequestUtil.filter(values.next().getGroupname())); + } + sb.append("\""); + } + } + synchronized (roles) { + if (roles.size() > 0) { + sb.append(", roles=\""); + int n = 0; + Iterator<Role> values = roles.iterator(); + while (values.hasNext()) { + if (n > 0) { + sb.append(','); + } + n++; + sb.append(RequestUtil.filter(values.next().getRolename())); + } + sb.append("\""); + } + } + return (sb.toString()); + } + + } Modified: branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/catalina/users/MemoryUserDatabase.java =================================================================== --- branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/catalina/users/MemoryUserDatabase.java 2011-11-24 10:25:05 UTC (rev 1874) +++ branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/catalina/users/MemoryUserDatabase.java 2011-11-24 10:40:48 UTC (rev 1875) @@ -541,7 +541,7 @@ values = getUsers(); while (values.hasNext()) { writer.print(" "); - writer.println(values.next()); + writer.println(((MemoryUser) values.next()).toXml()); } // Print the file epilog