[jboss-cvs] JBossAS SVN: r114516 - in projects/security/security-jboss-sx/branches/2.0.4.SP3_JBPAPP-10871/jbosssx/src/main/java/org/jboss: security and 1 other directory.

jboss-cvs-commits at lists.jboss.org jboss-cvs-commits at lists.jboss.org
Mon Sep 30 16:58:47 EDT 2013 

Author: jiwils
Date: 2013-09-30 16:58:47 -0400 (Mon, 30 Sep 2013)
New Revision: 114516

Modified:
   projects/security/security-jboss-sx/branches/2.0.4.SP3_JBPAPP-10871/jbosssx/src/main/java/org/jboss/resource/security/CallerIdentityLoginModule.java
   projects/security/security-jboss-sx/branches/2.0.4.SP3_JBPAPP-10871/jbosssx/src/main/java/org/jboss/security/SecurityAssociation.java
Log:
Fix for CVE-2012-3370; JBPAPP-10871 has a backport of JBPAPP-9388 as well as JBPAPP-5081.

Modified: projects/security/security-jboss-sx/branches/2.0.4.SP3_JBPAPP-10871/jbosssx/src/main/java/org/jboss/resource/security/CallerIdentityLoginModule.java
===================================================================
--- projects/security/security-jboss-sx/branches/2.0.4.SP3_JBPAPP-10871/jbosssx/src/main/java/org/jboss/resource/security/CallerIdentityLoginModule.java	2013-09-27 21:03:45 UTC (rev 114515)
+++ projects/security/security-jboss-sx/branches/2.0.4.SP3_JBPAPP-10871/jbosssx/src/main/java/org/jboss/resource/security/CallerIdentityLoginModule.java	2013-09-30 20:58:47 UTC (rev 114516)
@@ -108,6 +108,7 @@
       if (pass == null)
       {
          log.debug("No default password supplied.");
+         password = null;
       }
       else
       {

Modified: projects/security/security-jboss-sx/branches/2.0.4.SP3_JBPAPP-10871/jbosssx/src/main/java/org/jboss/security/SecurityAssociation.java
===================================================================
--- projects/security/security-jboss-sx/branches/2.0.4.SP3_JBPAPP-10871/jbosssx/src/main/java/org/jboss/security/SecurityAssociation.java	2013-09-27 21:03:45 UTC (rev 114515)
+++ projects/security/security-jboss-sx/branches/2.0.4.SP3_JBPAPP-10871/jbosssx/src/main/java/org/jboss/security/SecurityAssociation.java	2013-09-30 20:58:47 UTC (rev 114516)
@@ -267,9 +267,12 @@
       {
          if(trace)
             log.warn("You are using deprecated api to getCredential. Use security context based approach");
-         credential = sc.getUtil().getCredential();
+         return sc.getUtil().getCredential();
       }
-      return credential;
+      else
+      {
+         return null;
+      }
    }
 
    /**

More information about the jboss-cvs-commits mailing list