[jboss-jira] [JBoss JIRA] Closed: (SECURITY-242) Review SECURITY-158 changes

Anil Saldhana (JIRA) jira-events at lists.jboss.org
Tue Jun 17 14:56:11 EDT 2008 

     [ http://jira.jboss.com/jira/browse/SECURITY-242?page=all ]

Anil Saldhana closed SECURITY-242.
----------------------------------

    Resolution: Done

(01:16:24 PM) marcus: anil: SECURITY-158
(01:16:30 PM) anil: marcus: ?
(01:16:34 PM) marcus: anil: credential is not null
(01:16:52 PM) marcus: anil: it gets populated in the getUsernameAndPassword method
(01:17:39 PM) anil: the question is whether it gets added to the shared map
(01:18:28 PM) anil: the thing is the password that was passed via the callback handler needs to be placed in shared map
(01:21:02 PM) marcus: it gets added. if PasswordCallback returns anything, the credential is set, so is the password returned from getUsernameAndPassword
(01:21:24 PM) marcus: anil: if you add the password to the shared map, you could be adding it hashed
(01:21:42 PM) marcus: anil: which i don't think should be the case
(01:30:25 PM) anil: marcus: I think the user is correct
(01:30:35 PM) anil: see credential is the one that already existed in shared state
(01:30:49 PM) anil: so it is either exists (if I am 2nd module) or null
(01:31:11 PM) anil: password is what is returned by the handler and the JAAS contract says that that should be the pass that exists in the shared map
(01:31:15 PM) anil: can u validate this?
(01:41:37 PM) marcus: it is not null because in the getUsernameAndPassword method (called in login()) it is set to the value of the password callback
(01:44:13 PM) marcus: the only way the credential is null is if PasswordCallback.getPassword() is null
(01:44:31 PM) marcus: anil: i think the user is mistaken
(01:44:34 PM) anil: this is why global variables are dangerous
(01:45:40 PM) anil: marcus: I think in the end password and credential will contain the same information
(01:45:46 PM) anil: right?
(01:46:00 PM) anil: because of String pass = info[1]
(01:46:01 PM) marcus: no... the password can be hashed if the options are included
(01:46:21 PM) marcus: then it would store the hashed version of the password
(01:46:43 PM) marcus: and not the plain text, or char[]
(01:46:52 PM) marcus: which is the credential
(01:48:00 PM) anil: marcus: I think u r correct
(01:48:06 PM) anil: marcus: credential is the right password
(01:48:11 PM) anil: marcus: that is unchanged
(01:48:21 PM) marcus: anil: yes. i believe so
(01:49:08 PM) anil: marcus: thanks for the second look.  I suspected something fishy here

> Review SECURITY-158 changes
> ---------------------------
>
>                 Key: SECURITY-242
>                 URL: http://jira.jboss.com/jira/browse/SECURITY-242
>             Project: JBoss Security and Identity Management
>          Issue Type: Sub-task
>      Security Level: Public(Everyone can see) 
>          Components: JBossSX
>            Reporter: Anil Saldhana
>         Assigned To: Marcus Moyses
>             Fix For: 2.0.2.CR4
>
>
> Can you please give a second look at this issue that I am fixing for CR4?

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list