QPID-474 Make sure that our SASL servers actually, y'know, validate the password

AmqPlainSaslServer.java: Actually check password
PlainSaslServer.java: Actually check password
SaslServerTestCase.java: base test case for testing our SASL impls
AMQPlainSaslServerTest.java: test the AMQPlainSaslServer dealie
PlainSaslServerTest.java: test the PlainSaslServer
TestPrincipalDatabase.java: Mockish TestPrincipalDatabase

git-svn-id: https://svn.apache.org/repos/asf/incubator/qpid/trunk@674510 13f79535-47bb-0310-9956-ffa450edef68

2 files changed, 12 insertions, 7 deletions

diff --git a/qpid/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/amqplain/AmqPlainSaslServer.java b/qpid/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/amqplain/AmqPlainSaslServer.java
index 7842f376fb..9f56b8521a 100644
--- a/qpid/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/amqplain/AmqPlainSaslServer.java
+++ b/qpid/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/amqplain/AmqPlainSaslServer.java
@@ -68,12 +68,15 @@ public class AmqPlainSaslServer implements SaslServer
             PasswordCallback passwordCb = new PasswordCallback("prompt", false);
             // TODO: should not get pwd as a String but as a char array...
             String pwd = (String) ft.getString("PASSWORD");
-            passwordCb.setPassword(pwd.toCharArray());
             AuthorizeCallback authzCb = new AuthorizeCallback(username, username);
             Callback[] callbacks = new Callback[]{nameCb, passwordCb, authzCb};
             _cbh.handle(callbacks);
-            _complete = true;
-            if (authzCb.isAuthorized())
+            String storedPwd = new String(passwordCb.getPassword());
+            if (storedPwd.equals(pwd))
+            {
+                _complete = true;
+            }
+            if (authzCb.isAuthorized() && _complete)
             {
                 _authorizationId = authzCb.getAuthenticationID();
                 return null;
diff --git a/qpid/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/plain/PlainSaslServer.java b/qpid/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/plain/PlainSaslServer.java
index 36aeb77fe1..45fb9a4e42 100644
--- a/qpid/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/plain/PlainSaslServer.java
+++ b/qpid/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/plain/PlainSaslServer.java
@@ -72,17 +72,19 @@ public class PlainSaslServer implements SaslServer
 
             // we do not care about the prompt but it throws if null
             NameCallback nameCb = new NameCallback("prompt", authzid);
-            // we do not care about the prompt but it throws if null
             PasswordCallback passwordCb = new PasswordCallback("prompt", false);
             // TODO: should not get pwd as a String but as a char array...
             int passwordLen = response.length - authcidNullPosition - 1;
             String pwd = new String(response, authcidNullPosition + 1, passwordLen, "utf8");
-            passwordCb.setPassword(pwd.toCharArray());
             AuthorizeCallback authzCb = new AuthorizeCallback(authzid, authzid);
             Callback[] callbacks = new Callback[]{nameCb, passwordCb, authzCb};
             _cbh.handle(callbacks);
-            _complete = true;
-            if (authzCb.isAuthorized())
+            String storedPwd = new String(passwordCb.getPassword());
+            if (storedPwd.equals(pwd))
+            {
+                _complete = true;
+            }
+            if (authzCb.isAuthorized() && _complete)
             {
                 _authorizationId = authzCb.getAuthenticationID();
                 return null;