[jboss-jira] [JBoss JIRA] Updated: (SECURITY-513) LdapExtLoginModule breaks if bindCredential is missing
Marcus Moyses (JIRA)
jira-events at lists.jboss.org
Tue Jul 6 14:32:47 EDT 2010
[ https://jira.jboss.org/browse/SECURITY-513?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Marcus Moyses updated SECURITY-513:
-----------------------------------
Fix Version/s: JBossSecurity_2.0.4.SP4
PicketBox_v3_0_beta6
> LdapExtLoginModule breaks if bindCredential is missing
> ------------------------------------------------------
>
> Key: SECURITY-513
> URL: https://jira.jboss.org/browse/SECURITY-513
> Project: PicketBox (JBoss Security and Identity Management)
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Affects Versions: JBossSecurity_2.0.4.SP1, PicketBox_v3_0_beta5
> Reporter: James Livingston
> Assignee: Marcus Moyses
> Fix For: JBossSecurity_2.0.4.SP4, PicketBox_v3_0_beta6
>
> Attachments: SECURITY-513.patch
>
>
> LdapExtLoginModule got changed for SECURITY-422 to allow external commands to be run by prefixing the credential with {EXT}. It doesn't check for null first which breaks support for anonymous login added in JBAS-3555.
> The trivial fix is to change the following line in LdapExtLoginModule.createLdapInitContext()
> if (this.bindCredential.startsWith("{EXT}"))
> to
> if (this.bindCredential != null && this.bindCredential.startsWith("{EXT}"))
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list