Bug 1045105 - [GSS] (6.3.0) remote ejb client code converts '$$' to '$' in passwords
Summary: [GSS] (6.3.0) remote ejb client code converts '$$' to '$' in passwords
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: EJB
Version: 6.1.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: EAP 6.3.0
Assignee: David M. Lloyd
QA Contact: Jan Martiska
Nidhi
URL:
Whiteboard:
Keywords:
Depends On:
Blocks: 1065519 1065525
TreeView+ depends on / blocked
 
Reported: 2013-12-19 15:47 UTC by Derek Horton
Modified: 2018-12-04 16:44 UTC (History)
3 users (show)

(edit)
Previous versions of JBoss EAP 6 carried a bug that caused `PropertiesBasedEJBClientConfiguration` to attempt to expand passwords containing a double dollar sign ($$) as if it was an expression. This could have caused incorrect passwords to be passed between the server and client.

The `PropertiesValueResolver` has been modified in this release so that it does not expand passwords by default. This resolves the issue.

If expansion is required, it can be enabled by setting`jboss-ejb-client.expandPasswords` to `true`.
Clone Of:
: 1065519 (view as bug list)
(edit)
Last Closed: 2014-06-28 15:31:03 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker EJBCLIENT-99 Major Resolved Disable property expression expansion in property-based configuration password field 2015-08-03 16:26:56 UTC

Description Derek Horton 2013-12-19 15:47:54 UTC
Description of problem:

When using the PropertiesBasedEJBClientConfiguration
on a remote standalone ejb client, passwords that contain '$$' get converted to '$'.  This causes the password validation to fail on the server side.  For example, if the password is 'bar$$' on the client, it shows up on the server 
side as 'bar$'.

I have tracked the issue down to the PropertiesValueResolver [1] object.

Should the code be modified to disable password expansion by default?  Perhaps password expansion (${IMA_PASSWORD_SYS_PROP} => 'imapassword') should be enabled using a system property.

[1] https://github.com/jbossas/jboss-ejb-client/blob/1.0.23.Final/src/main/java/org/jboss/ejb/client/PropertiesValueResolver.java

Comment 1 Derek Horton 2013-12-20 21:06:21 UTC
Potential patch:

From 6b6d8b8879bdb718290e9ef7e19ebed5c9e94d05 Mon Sep 17 00:00:00 2001
From: Derek Horton <dehort@redhat.com>
Date: Fri, 20 Dec 2013 14:55:09 -0600
Subject: [PATCH] Disable password expansion by default [bz-1045105]

---
 .../jboss/ejb/client/PropertiesBasedEJBClientConfiguration.java   | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/main/java/org/jboss/ejb/client/PropertiesBasedEJBClientConfiguration.java b/src/main/java/org/jboss/ejb/client/PropertiesBasedEJBClientConfiguration.java
index b838165..46086d3 100644
--- a/src/main/java/org/jboss/ejb/client/PropertiesBasedEJBClientConfiguration.java
+++ b/src/main/java/org/jboss/ejb/client/PropertiesBasedEJBClientConfiguration.java
@@ -101,13 +101,21 @@ public class PropertiesBasedEJBClientConfiguration implements EJBClientConfigura
     private long reconnectTasksTimeout = 0;
     private DeploymentNodeSelector deploymentNodeSelector = new RandomDeploymentNodeSelector();
 
+    private static final boolean expandPasswords = Boolean.valueOf(
+        System.getProperty("jboss-ejb-client.expandPasswords", "false")).booleanValue();
+
     public PropertiesBasedEJBClientConfiguration(final Properties properties) {
         final Properties resolvedProperties = new Properties();
         if (properties != null) {
             for (Map.Entry<Object, Object> entry : properties.entrySet()) {
                 Object value = entry.getValue();
                 if (value instanceof String) {
+                   boolean propertyIsAPassword = ((String)entry.getKey()).indexOf(PROPERTY_KEY_PASSWORD) >= 0 ? true : false;
+                   // if its not a password...expand it
+                   // if it is a password and we're supposed to expand it...then do so
+                   if( !propertyIsAPassword || ( propertyIsAPassword && expandPasswords ) ) {
                     value = PropertiesValueResolver.replaceProperties((String) value);
+                   }
                 }
                 resolvedProperties.put(entry.getKey(), value);
             }
-- 
1.8.3.1

Comment 4 Scott Mumford 2014-05-14 03:31:09 UTC
Documenting as a Known Issue as bug still in NEW state at the time of writing the release note text. 

The following can be used as a release note for a release when this issue is resolved:

Previous versions of JBoss EAP 6 carried a bug that caused `PropertiesBasedEJBClientConfiguration` to attempt to expand passwords containing a double dollar sign ($$) as if it was an expression. This could have caused incorrect passwords being passed between the server and client. The `PropertiesValueREsolver has been modified in this release so that it does not expand passwords by default. This resolves the issue.

If expansion is require, it can be enabled by setting`jboss-ejb-client.expandPasswords` to `true`.

Comment 5 Jan Martiska 2014-05-19 08:23:36 UTC
Looks like we lost track of this one - it is already fixed in EAP 6.3.0.ER3 through an upgrade to JBoss EJB Client 1.0.25.Final.

Therefore also the release note should be changed accordingly.


Note You need to log in before you can comment on or make changes to this bug.