Description of problem: When using the PropertiesBasedEJBClientConfiguration on a remote standalone ejb client, passwords that contain '$$' get converted to '$'. This causes the password validation to fail on the server side. For example, if the password is 'bar$$' on the client, it shows up on the server side as 'bar$'. I have tracked the issue down to the PropertiesValueResolver [1] object. Should the code be modified to disable password expansion by default? Perhaps password expansion (${IMA_PASSWORD_SYS_PROP} => 'imapassword') should be enabled using a system property. [1] https://github.com/jbossas/jboss-ejb-client/blob/1.0.23.Final/src/main/java/org/jboss/ejb/client/PropertiesValueResolver.java
Potential patch: From 6b6d8b8879bdb718290e9ef7e19ebed5c9e94d05 Mon Sep 17 00:00:00 2001 From: Derek Horton <dehort> Date: Fri, 20 Dec 2013 14:55:09 -0600 Subject: [PATCH] Disable password expansion by default [bz-1045105] --- .../jboss/ejb/client/PropertiesBasedEJBClientConfiguration.java | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/main/java/org/jboss/ejb/client/PropertiesBasedEJBClientConfiguration.java b/src/main/java/org/jboss/ejb/client/PropertiesBasedEJBClientConfiguration.java index b838165..46086d3 100644 --- a/src/main/java/org/jboss/ejb/client/PropertiesBasedEJBClientConfiguration.java +++ b/src/main/java/org/jboss/ejb/client/PropertiesBasedEJBClientConfiguration.java @@ -101,13 +101,21 @@ public class PropertiesBasedEJBClientConfiguration implements EJBClientConfigura private long reconnectTasksTimeout = 0; private DeploymentNodeSelector deploymentNodeSelector = new RandomDeploymentNodeSelector(); + private static final boolean expandPasswords = Boolean.valueOf( + System.getProperty("jboss-ejb-client.expandPasswords", "false")).booleanValue(); + public PropertiesBasedEJBClientConfiguration(final Properties properties) { final Properties resolvedProperties = new Properties(); if (properties != null) { for (Map.Entry<Object, Object> entry : properties.entrySet()) { Object value = entry.getValue(); if (value instanceof String) { + boolean propertyIsAPassword = ((String)entry.getKey()).indexOf(PROPERTY_KEY_PASSWORD) >= 0 ? true : false; + // if its not a password...expand it + // if it is a password and we're supposed to expand it...then do so + if( !propertyIsAPassword || ( propertyIsAPassword && expandPasswords ) ) { value = PropertiesValueResolver.replaceProperties((String) value); + } } resolvedProperties.put(entry.getKey(), value); } -- 1.8.3.1
Pull requests master: https://github.com/jbossas/jboss-ejb-client/pull/60 1.0: https://github.com/jbossas/jboss-ejb-client/pull/59
Documenting as a Known Issue as bug still in NEW state at the time of writing the release note text. The following can be used as a release note for a release when this issue is resolved: Previous versions of JBoss EAP 6 carried a bug that caused `PropertiesBasedEJBClientConfiguration` to attempt to expand passwords containing a double dollar sign ($$) as if it was an expression. This could have caused incorrect passwords being passed between the server and client. The `PropertiesValueREsolver has been modified in this release so that it does not expand passwords by default. This resolves the issue. If expansion is require, it can be enabled by setting`jboss-ejb-client.expandPasswords` to `true`.
Looks like we lost track of this one - it is already fixed in EAP 6.3.0.ER3 through an upgrade to JBoss EJB Client 1.0.25.Final. Therefore also the release note should be changed accordingly.