[ https://issues.apache.org/jira/brow...ls:all-tabpanel ]

Emmanuel Lecharny resolved DIRSERVER-868.
-----------------------------------------

Resolution: Fixed

All the issues are now fixed.

> SimpleAuthenticator contains many potential pbs
> -----------------------------------------------
>
>                 Key: DIRSERVER-868
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-868
>             Project: Directory ApacheDS
>          Issue Type: Bug
>    Affects Versions: 1.0.1, 1.5.0
>            Reporter: Emmanuel Lecharny
>         Assigned To: Emmanuel Lecharny
>             Fix For: 1.5.0
>
>
> While analysing the Authenticator classes, I found that the SimpleAuthetic
ator won't deal correctly with many potential cases :
> - The credentials stored in the java.naming.security.credentials may be a 
byte array, so transfming it to a String may simply fail
> - as we use a WeakHashMap to store some cached passwords, it would be good
 to check that the passward has correctly been got from the cache, not that 
the password exists in the cache then try to get it. We may have a null pass
word in this case.
> - it may be possible that the user hasn't created a password. In this case
, we will get an Authentication error because the password won't be found on
 the server, and the code is expecting to get something.
> - if the password is encrypted, it must be stored as a base 64 encoded String into
 the server, prefixed with the encryption mechanism. This is OK, but then we can com
pare passwords using a String comparizon, not a Arrays.equals() on byte arrays, as b
oth
elements are Strings.
> I might have missed some steps, or be wrong, so consider this JIRA as a reminder f
or the real issues.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[ Post a follow-up to this message ]