SimpleAuthenticator rejects cached one-way encrypted passwords
--------------------------------------------------------------

Key: DIRSERVER-1007
URL: https://issues.apache.org/jira/browse/DIRSERVER-1007
Project: Directory ApacheDS
Issue Type: Bug
Affects Versions: 1.5.0
Reporter: Jonah Beckford
Priority: Minor


Conditions

- userPassword is stored as {SHA} (or some other one-way encryption) in
 the DIT
- authentication request has password credentials sent in plain text

Behavior

- The first authentication request is successful.
- All subsequent requests fail

Cause

- The one-way encrypted password is stored in the credentialCache after the 
first request, and subsequent (plain text) requests don't match what is stor
ed in the credentialCache

Fix

- Do the same match checking on each request, regardless whether in cache or
 not in cache
- Change SimpleAuthenticator::authenticate from:

if ( principal != null )
{
// Found ! Are the password equals ?
credentialsMatch = Arrays.equals( credentials, principal.getUserPassword() )
;
}
else
{
// Not found ...
// Get the user password from the backend
byte[] userPassword = lookupUserPassword( principalDn );

.. BLOCK # 1 ...
}

to:
// Get the user password (from the backend if not in the cache)
byte[] userPassword = null;
if (principal == null)
userPassword = lookupUserPassword(principalDn);
else
userPassword = principal.getUserPassword();

.. BLOCK # 1 ...



--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[ Post a follow-up to this message ]