[jboss-cvs] JBossAS SVN: r114516 - in projects/security/security-jboss-sx/branches/2.0.4.SP3_JBPAPP-10871/jbosssx/src/main/java/org/jboss: security and 1 other directory.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Mon Sep 30 16:58:47 EDT 2013
Author: jiwils
Date: 2013-09-30 16:58:47 -0400 (Mon, 30 Sep 2013)
New Revision: 114516
Modified:
projects/security/security-jboss-sx/branches/2.0.4.SP3_JBPAPP-10871/jbosssx/src/main/java/org/jboss/resource/security/CallerIdentityLoginModule.java
projects/security/security-jboss-sx/branches/2.0.4.SP3_JBPAPP-10871/jbosssx/src/main/java/org/jboss/security/SecurityAssociation.java
Log:
Fix for CVE-2012-3370; JBPAPP-10871 has a backport of JBPAPP-9388 as well as JBPAPP-5081.
Modified: projects/security/security-jboss-sx/branches/2.0.4.SP3_JBPAPP-10871/jbosssx/src/main/java/org/jboss/resource/security/CallerIdentityLoginModule.java
===================================================================
--- projects/security/security-jboss-sx/branches/2.0.4.SP3_JBPAPP-10871/jbosssx/src/main/java/org/jboss/resource/security/CallerIdentityLoginModule.java 2013-09-27 21:03:45 UTC (rev 114515)
+++ projects/security/security-jboss-sx/branches/2.0.4.SP3_JBPAPP-10871/jbosssx/src/main/java/org/jboss/resource/security/CallerIdentityLoginModule.java 2013-09-30 20:58:47 UTC (rev 114516)
@@ -108,6 +108,7 @@
if (pass == null)
{
log.debug("No default password supplied.");
+ password = null;
}
else
{
Modified: projects/security/security-jboss-sx/branches/2.0.4.SP3_JBPAPP-10871/jbosssx/src/main/java/org/jboss/security/SecurityAssociation.java
===================================================================
--- projects/security/security-jboss-sx/branches/2.0.4.SP3_JBPAPP-10871/jbosssx/src/main/java/org/jboss/security/SecurityAssociation.java 2013-09-27 21:03:45 UTC (rev 114515)
+++ projects/security/security-jboss-sx/branches/2.0.4.SP3_JBPAPP-10871/jbosssx/src/main/java/org/jboss/security/SecurityAssociation.java 2013-09-30 20:58:47 UTC (rev 114516)
@@ -267,9 +267,12 @@
{
if(trace)
log.warn("You are using deprecated api to getCredential. Use security context based approach");
- credential = sc.getUtil().getCredential();
+ return sc.getUtil().getCredential();
}
- return credential;
+ else
+ {
+ return null;
+ }
}
/**
More information about the jboss-cvs-commits
mailing list