Bug 1045105

Summary: [GSS] (6.3.0) remote ejb client code converts '$$' to '$' in passwords
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Derek Horton <dehort>
Component: EJBAssignee: David M. Lloyd <david.lloyd>
Status: CLOSED CURRENTRELEASE QA Contact: Jan Martiska <jmartisk>
Severity: unspecified Docs Contact: Nidhi <nsriniva>
Priority: unspecified    
Version: 6.1.1CC: cdewolf, nsriniva, smumford
Target Milestone: ---   
Target Release: EAP 6.3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Previous versions of JBoss EAP 6 carried a bug that caused `PropertiesBasedEJBClientConfiguration` to attempt to expand passwords containing a double dollar sign ($$) as if it was an expression. This could have caused incorrect passwords to be passed between the server and client. The `PropertiesValueResolver` has been modified in this release so that it does not expand passwords by default. This resolves the issue. If expansion is required, it can be enabled by setting`jboss-ejb-client.expandPasswords` to `true`.
Story Points: ---
Clone Of:
: 1065519 (view as bug list) Environment:
Last Closed: 2014-06-28 15:31:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 1065519, 1065525    

Description Derek Horton 2013-12-19 15:47:54 UTC
Description of problem:

When using the PropertiesBasedEJBClientConfiguration
on a remote standalone ejb client, passwords that contain '$$' get converted to '$'.  This causes the password validation to fail on the server side.  For example, if the password is 'bar$$' on the client, it shows up on the server 
side as 'bar$'.

I have tracked the issue down to the PropertiesValueResolver [1] object.

Should the code be modified to disable password expansion by default?  Perhaps password expansion (${IMA_PASSWORD_SYS_PROP} => 'imapassword') should be enabled using a system property.

[1] https://github.com/jbossas/jboss-ejb-client/blob/1.0.23.Final/src/main/java/org/jboss/ejb/client/PropertiesValueResolver.java

Comment 1 Derek Horton 2013-12-20 21:06:21 UTC
Potential patch:

From 6b6d8b8879bdb718290e9ef7e19ebed5c9e94d05 Mon Sep 17 00:00:00 2001
From: Derek Horton <dehort@redhat.com>
Date: Fri, 20 Dec 2013 14:55:09 -0600
Subject: [PATCH] Disable password expansion by default [bz-1045105]

---
 .../jboss/ejb/client/PropertiesBasedEJBClientConfiguration.java   | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/main/java/org/jboss/ejb/client/PropertiesBasedEJBClientConfiguration.java b/src/main/java/org/jboss/ejb/client/PropertiesBasedEJBClientConfiguration.java
index b838165..46086d3 100644
--- a/src/main/java/org/jboss/ejb/client/PropertiesBasedEJBClientConfiguration.java
+++ b/src/main/java/org/jboss/ejb/client/PropertiesBasedEJBClientConfiguration.java
@@ -101,13 +101,21 @@ public class PropertiesBasedEJBClientConfiguration implements EJBClientConfigura
     private long reconnectTasksTimeout = 0;
     private DeploymentNodeSelector deploymentNodeSelector = new RandomDeploymentNodeSelector();
 
+    private static final boolean expandPasswords = Boolean.valueOf(
+        System.getProperty("jboss-ejb-client.expandPasswords", "false")).booleanValue();
+
     public PropertiesBasedEJBClientConfiguration(final Properties properties) {
         final Properties resolvedProperties = new Properties();
         if (properties != null) {
             for (Map.Entry<Object, Object> entry : properties.entrySet()) {
                 Object value = entry.getValue();
                 if (value instanceof String) {
+                   boolean propertyIsAPassword = ((String)entry.getKey()).indexOf(PROPERTY_KEY_PASSWORD) >= 0 ? true : false;
+                   // if its not a password...expand it
+                   // if it is a password and we're supposed to expand it...then do so
+                   if( !propertyIsAPassword || ( propertyIsAPassword && expandPasswords ) ) {
                     value = PropertiesValueResolver.replaceProperties((String) value);
+                   }
                 }
                 resolvedProperties.put(entry.getKey(), value);
             }
-- 
1.8.3.1

Comment 4 Scott Mumford 2014-05-14 03:31:09 UTC
Documenting as a Known Issue as bug still in NEW state at the time of writing the release note text. 

The following can be used as a release note for a release when this issue is resolved:

Previous versions of JBoss EAP 6 carried a bug that caused `PropertiesBasedEJBClientConfiguration` to attempt to expand passwords containing a double dollar sign ($$) as if it was an expression. This could have caused incorrect passwords being passed between the server and client. The `PropertiesValueREsolver has been modified in this release so that it does not expand passwords by default. This resolves the issue.

If expansion is require, it can be enabled by setting`jboss-ejb-client.expandPasswords` to `true`.

Comment 5 Jan Martiska 2014-05-19 08:23:36 UTC
Looks like we lost track of this one - it is already fixed in EAP 6.3.0.ER3 through an upgrade to JBoss EJB Client 1.0.25.Final.

Therefore also the release note should be changed accordingly.