Critical Description
This is a snippet from the evaluateResponse method in AmqPlainSaslServer:
String pwd = new String(response, authcidNullPosition + 1, passwordLen, "utf8");
passwordCb.setPassword(pwd.toCharArray());
AuthorizeCallback authzCb = new AuthorizeCallback(authzid, authzid);
Callback[] callbacks = new Callback[]
;
_cbh.handle(callbacks);
_complete = true;
The authzCb is always set to true!!
See the handler UsernamePasswordInitialiser
else if (callback instanceof AuthorizeCallback) {
((AuthorizeCallback) callback).setAuthorized(true);
As a result this will always allow access.
(from AmqPlainSaslServer.evaluteResponse() .. follows on from above snippet)
if (authzCb.isAuthorized())
{ _authorizationId = authzCb.getAuthenticationID(); return null; }else
{ throw new SaslException("Authentication failed"); }What needs to be done:
This line is wrong: (from AmqPlainSaslServer)
passwordCb.setPassword(pwd.toCharArray());
This is done in the PrincipalDatabases
So after the handle call
passwordCb.getPassword() should be compared to pwd verifying the password is correct.
Attachments
Issue Links
- blocks
-
QPID-292 Authentication failures are not properly handled
-
- Closed
-