| Summary: | [GSS] (6.3.0) remote ejb client code converts '$$' to '$' in passwords | |||
|---|---|---|---|---|
| Product: | [JBoss] JBoss Enterprise Application Platform 6 | Reporter: | Derek Horton <dehort> | |
| Component: | EJB | Assignee: | David M. Lloyd <david.lloyd> | |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Jan Martiska <jmartisk> | |
| Severity: | unspecified | Docs Contact: | Nidhi <nsriniva> | |
| Priority: | unspecified | |||
| Version: | 6.1.1 | CC: | cdewolf, nsriniva, smumford | |
| Target Milestone: | --- | |||
| Target Release: | EAP 6.3.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: |
Previous versions of JBoss EAP 6 carried a bug that caused `PropertiesBasedEJBClientConfiguration` to attempt to expand passwords containing a double dollar sign ($$) as if it was an expression. This could have caused incorrect passwords to be passed between the server and client.
The `PropertiesValueResolver` has been modified in this release so that it does not expand passwords by default. This resolves the issue.
If expansion is required, it can be enabled by setting`jboss-ejb-client.expandPasswords` to `true`.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1065519 (view as bug list) | Environment: | ||
| Last Closed: | 2014-06-28 15:31:03 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Bug Depends On: | ||||
| Bug Blocks: | 1065519, 1065525 | |||
Potential patch:
From 6b6d8b8879bdb718290e9ef7e19ebed5c9e94d05 Mon Sep 17 00:00:00 2001
From: Derek Horton <dehort>
Date: Fri, 20 Dec 2013 14:55:09 -0600
Subject: [PATCH] Disable password expansion by default [bz-1045105]
---
.../jboss/ejb/client/PropertiesBasedEJBClientConfiguration.java | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/main/java/org/jboss/ejb/client/PropertiesBasedEJBClientConfiguration.java b/src/main/java/org/jboss/ejb/client/PropertiesBasedEJBClientConfiguration.java
index b838165..46086d3 100644
--- a/src/main/java/org/jboss/ejb/client/PropertiesBasedEJBClientConfiguration.java
+++ b/src/main/java/org/jboss/ejb/client/PropertiesBasedEJBClientConfiguration.java
@@ -101,13 +101,21 @@ public class PropertiesBasedEJBClientConfiguration implements EJBClientConfigura
private long reconnectTasksTimeout = 0;
private DeploymentNodeSelector deploymentNodeSelector = new RandomDeploymentNodeSelector();
+ private static final boolean expandPasswords = Boolean.valueOf(
+ System.getProperty("jboss-ejb-client.expandPasswords", "false")).booleanValue();
+
public PropertiesBasedEJBClientConfiguration(final Properties properties) {
final Properties resolvedProperties = new Properties();
if (properties != null) {
for (Map.Entry<Object, Object> entry : properties.entrySet()) {
Object value = entry.getValue();
if (value instanceof String) {
+ boolean propertyIsAPassword = ((String)entry.getKey()).indexOf(PROPERTY_KEY_PASSWORD) >= 0 ? true : false;
+ // if its not a password...expand it
+ // if it is a password and we're supposed to expand it...then do so
+ if( !propertyIsAPassword || ( propertyIsAPassword && expandPasswords ) ) {
value = PropertiesValueResolver.replaceProperties((String) value);
+ }
}
resolvedProperties.put(entry.getKey(), value);
}
--
1.8.3.1
Pull requests master: https://github.com/jbossas/jboss-ejb-client/pull/60 1.0: https://github.com/jbossas/jboss-ejb-client/pull/59 Documenting as a Known Issue as bug still in NEW state at the time of writing the release note text. The following can be used as a release note for a release when this issue is resolved: Previous versions of JBoss EAP 6 carried a bug that caused `PropertiesBasedEJBClientConfiguration` to attempt to expand passwords containing a double dollar sign ($$) as if it was an expression. This could have caused incorrect passwords being passed between the server and client. The `PropertiesValueREsolver has been modified in this release so that it does not expand passwords by default. This resolves the issue. If expansion is require, it can be enabled by setting`jboss-ejb-client.expandPasswords` to `true`. Looks like we lost track of this one - it is already fixed in EAP 6.3.0.ER3 through an upgrade to JBoss EJB Client 1.0.25.Final. Therefore also the release note should be changed accordingly. |
Description of problem: When using the PropertiesBasedEJBClientConfiguration on a remote standalone ejb client, passwords that contain '$$' get converted to '$'. This causes the password validation to fail on the server side. For example, if the password is 'bar$$' on the client, it shows up on the server side as 'bar$'. I have tracked the issue down to the PropertiesValueResolver [1] object. Should the code be modified to disable password expansion by default? Perhaps password expansion (${IMA_PASSWORD_SYS_PROP} => 'imapassword') should be enabled using a system property. [1] https://github.com/jbossas/jboss-ejb-client/blob/1.0.23.Final/src/main/java/org/jboss/ejb/client/PropertiesValueResolver.java