| Summary: | [GSS] (6.3.0) remote ejb client code converts '$$' to '$' in passwords | |||
|---|---|---|---|---|
| Product: | [JBoss] JBoss Enterprise Application Platform 6 | Reporter: | Derek Horton <dehort> | |
| Component: | EJB | Assignee: | David M. Lloyd <david.lloyd> | |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Jan Martiska <jmartisk> | |
| Severity: | unspecified | Docs Contact: | Nidhi <nsriniva> | |
| Priority: | unspecified | |||
| Version: | 6.1.1 | CC: | cdewolf, nsriniva, smumford | |
| Target Milestone: | --- | |||
| Target Release: | EAP 6.3.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: |
Previous versions of JBoss EAP 6 carried a bug that caused `PropertiesBasedEJBClientConfiguration` to attempt to expand passwords containing a double dollar sign ($$) as if it was an expression. This could have caused incorrect passwords to be passed between the server and client.
The `PropertiesValueResolver` has been modified in this release so that it does not expand passwords by default. This resolves the issue.
If expansion is required, it can be enabled by setting`jboss-ejb-client.expandPasswords` to `true`.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1065519 (view as bug list) | Environment: | ||
| Last Closed: | 2014-06-28 15:31:03 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | |||
| Bug Depends On: | ||||
| Bug Blocks: | 1065519, 1065525 | |||
Potential patch: From 6b6d8b8879bdb718290e9ef7e19ebed5c9e94d05 Mon Sep 17 00:00:00 2001 From: Derek Horton <dehort@redhat.com> Date: Fri, 20 Dec 2013 14:55:09 -0600 Subject: [PATCH] Disable password expansion by default [bz-1045105] --- .../jboss/ejb/client/PropertiesBasedEJBClientConfiguration.java | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/main/java/org/jboss/ejb/client/PropertiesBasedEJBClientConfiguration.java b/src/main/java/org/jboss/ejb/client/PropertiesBasedEJBClientConfiguration.java index b838165..46086d3 100644 --- a/src/main/java/org/jboss/ejb/client/PropertiesBasedEJBClientConfiguration.java +++ b/src/main/java/org/jboss/ejb/client/PropertiesBasedEJBClientConfiguration.java @@ -101,13 +101,21 @@ public class PropertiesBasedEJBClientConfiguration implements EJBClientConfigura private long reconnectTasksTimeout = 0; private DeploymentNodeSelector deploymentNodeSelector = new RandomDeploymentNodeSelector(); + private static final boolean expandPasswords = Boolean.valueOf( + System.getProperty("jboss-ejb-client.expandPasswords", "false")).booleanValue(); + public PropertiesBasedEJBClientConfiguration(final Properties properties) { final Properties resolvedProperties = new Properties(); if (properties != null) { for (Map.Entry<Object, Object> entry : properties.entrySet()) { Object value = entry.getValue(); if (value instanceof String) { + boolean propertyIsAPassword = ((String)entry.getKey()).indexOf(PROPERTY_KEY_PASSWORD) >= 0 ? true : false; + // if its not a password...expand it + // if it is a password and we're supposed to expand it...then do so + if( !propertyIsAPassword || ( propertyIsAPassword && expandPasswords ) ) { value = PropertiesValueResolver.replaceProperties((String) value); + } } resolvedProperties.put(entry.getKey(), value); } -- 1.8.3.1 Pull requests master: https://github.com/jbossas/jboss-ejb-client/pull/60 1.0: https://github.com/jbossas/jboss-ejb-client/pull/59 Documenting as a Known Issue as bug still in NEW state at the time of writing the release note text. The following can be used as a release note for a release when this issue is resolved: Previous versions of JBoss EAP 6 carried a bug that caused `PropertiesBasedEJBClientConfiguration` to attempt to expand passwords containing a double dollar sign ($$) as if it was an expression. This could have caused incorrect passwords being passed between the server and client. The `PropertiesValueREsolver has been modified in this release so that it does not expand passwords by default. This resolves the issue. If expansion is require, it can be enabled by setting`jboss-ejb-client.expandPasswords` to `true`. Looks like we lost track of this one - it is already fixed in EAP 6.3.0.ER3 through an upgrade to JBoss EJB Client 1.0.25.Final. Therefore also the release note should be changed accordingly. |
Description of problem: When using the PropertiesBasedEJBClientConfiguration on a remote standalone ejb client, passwords that contain '$$' get converted to '$'. This causes the password validation to fail on the server side. For example, if the password is 'bar$$' on the client, it shows up on the server side as 'bar$'. I have tracked the issue down to the PropertiesValueResolver [1] object. Should the code be modified to disable password expansion by default? Perhaps password expansion (${IMA_PASSWORD_SYS_PROP} => 'imapassword') should be enabled using a system property. [1] https://github.com/jbossas/jboss-ejb-client/blob/1.0.23.Final/src/main/java/org/jboss/ejb/client/PropertiesValueResolver.java