Bug 1045105
Summary: | [GSS] (6.3.0) remote ejb client code converts '$$' to '$' in passwords | |||
---|---|---|---|---|
Product: | [JBoss] JBoss Enterprise Application Platform 6 | Reporter: | Derek Horton <dehort> | |
Component: | EJB | Assignee: | David M. Lloyd <david.lloyd> | |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Jan Martiska <jmartisk> | |
Severity: | unspecified | Docs Contact: | Nidhi <nsriniva> | |
Priority: | unspecified | |||
Version: | 6.1.1 | CC: | cdewolf, nsriniva, smumford | |
Target Milestone: | --- | |||
Target Release: | EAP 6.3.0 | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: |
Previous versions of JBoss EAP 6 carried a bug that caused `PropertiesBasedEJBClientConfiguration` to attempt to expand passwords containing a double dollar sign ($$) as if it was an expression. This could have caused incorrect passwords to be passed between the server and client.
The `PropertiesValueResolver` has been modified in this release so that it does not expand passwords by default. This resolves the issue.
If expansion is required, it can be enabled by setting`jboss-ejb-client.expandPasswords` to `true`.
|
Story Points: | --- | |
Clone Of: | ||||
: | 1065519 (view as bug list) | Environment: | ||
Last Closed: | 2014-06-28 15:31:03 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1065519, 1065525 |
Description
Derek Horton
2013-12-19 15:47:54 UTC
Potential patch: From 6b6d8b8879bdb718290e9ef7e19ebed5c9e94d05 Mon Sep 17 00:00:00 2001 From: Derek Horton <dehort> Date: Fri, 20 Dec 2013 14:55:09 -0600 Subject: [PATCH] Disable password expansion by default [bz-1045105] --- .../jboss/ejb/client/PropertiesBasedEJBClientConfiguration.java | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/main/java/org/jboss/ejb/client/PropertiesBasedEJBClientConfiguration.java b/src/main/java/org/jboss/ejb/client/PropertiesBasedEJBClientConfiguration.java index b838165..46086d3 100644 --- a/src/main/java/org/jboss/ejb/client/PropertiesBasedEJBClientConfiguration.java +++ b/src/main/java/org/jboss/ejb/client/PropertiesBasedEJBClientConfiguration.java @@ -101,13 +101,21 @@ public class PropertiesBasedEJBClientConfiguration implements EJBClientConfigura private long reconnectTasksTimeout = 0; private DeploymentNodeSelector deploymentNodeSelector = new RandomDeploymentNodeSelector(); + private static final boolean expandPasswords = Boolean.valueOf( + System.getProperty("jboss-ejb-client.expandPasswords", "false")).booleanValue(); + public PropertiesBasedEJBClientConfiguration(final Properties properties) { final Properties resolvedProperties = new Properties(); if (properties != null) { for (Map.Entry<Object, Object> entry : properties.entrySet()) { Object value = entry.getValue(); if (value instanceof String) { + boolean propertyIsAPassword = ((String)entry.getKey()).indexOf(PROPERTY_KEY_PASSWORD) >= 0 ? true : false; + // if its not a password...expand it + // if it is a password and we're supposed to expand it...then do so + if( !propertyIsAPassword || ( propertyIsAPassword && expandPasswords ) ) { value = PropertiesValueResolver.replaceProperties((String) value); + } } resolvedProperties.put(entry.getKey(), value); } -- 1.8.3.1 Pull requests master: https://github.com/jbossas/jboss-ejb-client/pull/60 1.0: https://github.com/jbossas/jboss-ejb-client/pull/59 Documenting as a Known Issue as bug still in NEW state at the time of writing the release note text. The following can be used as a release note for a release when this issue is resolved: Previous versions of JBoss EAP 6 carried a bug that caused `PropertiesBasedEJBClientConfiguration` to attempt to expand passwords containing a double dollar sign ($$) as if it was an expression. This could have caused incorrect passwords being passed between the server and client. The `PropertiesValueREsolver has been modified in this release so that it does not expand passwords by default. This resolves the issue. If expansion is require, it can be enabled by setting`jboss-ejb-client.expandPasswords` to `true`. Looks like we lost track of this one - it is already fixed in EAP 6.3.0.ER3 through an upgrade to JBoss EJB Client 1.0.25.Final. Therefore also the release note should be changed accordingly. |