[jboss-jira] [JBoss JIRA] (AS7-5275) Vault shared key is displaying the byte[] address

Jeff Mesnil (JIRA) jira-events at lists.jboss.org
Wed Aug 1 03:03:07 EDT 2012 

    [ https://issues.jboss.org/browse/AS7-5275?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12709069#comment-12709069 ] 

Jeff Mesnil commented on AS7-5275:
----------------------------------

Stefan, I wrote a patch to fix this issue[1] but it makes the test suite fail in LdapExtLoginModuleTestCase test cases[2] (I'm not a LDAP expert...)

[1] https://github.com/jbossas/jboss-as/pull/2770
[2] http://lightning.mw.lab.eng.bos.redhat.com/jenkins/job/as7-param-pull/3333/

                
> Vault shared key is displaying the byte[] address
> -------------------------------------------------
>
>                 Key: AS7-5275
>                 URL: https://issues.jboss.org/browse/AS7-5275
>             Project: Application Server 7
>          Issue Type: Bug
>          Components: Security
>         Environment: AS7 trunk branch
>            Reporter: Jeff Mesnil
>            Assignee: Stefan Guilhen
>            Priority: Critical
>
> I added a secured attribute with vault.sh but the shared key looked suspicious:
> {noformat}
> ********************************************
> Vault Block:HQ
> Attribute Name:thePass
> Shared Key:[B at 52621f0c
> Configuration should be done as follows:
> VAULT::HQ::thePass::[B at 52621f0c
> ********************************************
> {noformat}
> Looking at VaultSession#attributeCreatedDisplay(), the byte[] handshakeKey is displayed by calling toString() => this displays its address, not a textual representation of the bytes.
> When the shared key is read in RuntimeVaultReader, we call String.getBytes() to get back the byte[].
> A simple fix is to display the handshakeKey with new String(handshakeKey).
> However this will work only if the default charset is the same on machines that store the secured attribute and read from it.
> It'd be safe to use always the same Charset (e.g. US-ASCII or UTF-8).
> I've raised the priority to critical since it is not possible to use any secured attribute if the handshake is not properly displayed

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list