From 7edd2d41a3b067752532be6a2a8a6b6ce2851786 Mon Sep 17 00:00:00 2001 From: Aidan Skinner Date: Mon, 7 Jul 2008 14:44:54 +0000 Subject: QPID-474 Make sure that our SASL servers actually, y'know, validate the password AmqPlainSaslServer.java: Actually check password PlainSaslServer.java: Actually check password SaslServerTestCase.java: base test case for testing our SASL impls AMQPlainSaslServerTest.java: test the AMQPlainSaslServer dealie PlainSaslServerTest.java: test the PlainSaslServer TestPrincipalDatabase.java: Mockish TestPrincipalDatabase git-svn-id: https://svn.apache.org/repos/asf/incubator/qpid/trunk/qpid@674510 13f79535-47bb-0310-9956-ffa450edef68 --- .../server/security/auth/sasl/amqplain/AmqPlainSaslServer.java | 9 ++++++--- .../qpid/server/security/auth/sasl/plain/PlainSaslServer.java | 10 ++++++---- 2 files changed, 12 insertions(+), 7 deletions(-) (limited to 'java/broker/src/main') diff --git a/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/amqplain/AmqPlainSaslServer.java b/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/amqplain/AmqPlainSaslServer.java index 7842f376fb..9f56b8521a 100644 --- a/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/amqplain/AmqPlainSaslServer.java +++ b/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/amqplain/AmqPlainSaslServer.java @@ -68,12 +68,15 @@ public class AmqPlainSaslServer implements SaslServer PasswordCallback passwordCb = new PasswordCallback("prompt", false); // TODO: should not get pwd as a String but as a char array... String pwd = (String) ft.getString("PASSWORD"); - passwordCb.setPassword(pwd.toCharArray()); AuthorizeCallback authzCb = new AuthorizeCallback(username, username); Callback[] callbacks = new Callback[]{nameCb, passwordCb, authzCb}; _cbh.handle(callbacks); - _complete = true; - if (authzCb.isAuthorized()) + String storedPwd = new String(passwordCb.getPassword()); + if (storedPwd.equals(pwd)) + { + _complete = true; + } + if (authzCb.isAuthorized() && _complete) { _authorizationId = authzCb.getAuthenticationID(); return null; diff --git a/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/plain/PlainSaslServer.java b/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/plain/PlainSaslServer.java index 36aeb77fe1..45fb9a4e42 100644 --- a/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/plain/PlainSaslServer.java +++ b/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/plain/PlainSaslServer.java @@ -72,17 +72,19 @@ public class PlainSaslServer implements SaslServer // we do not care about the prompt but it throws if null NameCallback nameCb = new NameCallback("prompt", authzid); - // we do not care about the prompt but it throws if null PasswordCallback passwordCb = new PasswordCallback("prompt", false); // TODO: should not get pwd as a String but as a char array... int passwordLen = response.length - authcidNullPosition - 1; String pwd = new String(response, authcidNullPosition + 1, passwordLen, "utf8"); - passwordCb.setPassword(pwd.toCharArray()); AuthorizeCallback authzCb = new AuthorizeCallback(authzid, authzid); Callback[] callbacks = new Callback[]{nameCb, passwordCb, authzCb}; _cbh.handle(callbacks); - _complete = true; - if (authzCb.isAuthorized()) + String storedPwd = new String(passwordCb.getPassword()); + if (storedPwd.equals(pwd)) + { + _complete = true; + } + if (authzCb.isAuthorized() && _complete) { _authorizationId = authzCb.getAuthenticationID(); return null; -- cgit v1.2.1