modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/core/jaas/JDBCLoginModule.java | 7 +++++++ modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/core/jaas/JDBCPrincipalCheckLoginModule.java | 3 +++ 2 files changed, 10 insertions(+)
New commits: commit 81d68daebaef5b91130f80ec70f759adcf5b7b6d Author: John Mazzitelli mazz@redhat.com Date: Tue Oct 19 11:25:27 2010 -0400
bz 644344 - if the user is attempting to log in as the user "admin", fail. without this patch, someone can create a user "admin" in LDAP and get overlord access.
diff --git a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/core/jaas/JDBCLoginModule.java b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/core/jaas/JDBCLoginModule.java index a77b183..c9cf6d0 100644 --- a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/core/jaas/JDBCLoginModule.java +++ b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/core/jaas/JDBCLoginModule.java @@ -25,6 +25,7 @@ import java.sql.ResultSet; import java.sql.SQLException; import java.util.Map; import java.util.Properties; + import javax.naming.InitialContext; import javax.naming.NamingException; import javax.security.auth.Subject; @@ -32,10 +33,13 @@ import javax.security.auth.callback.CallbackHandler; import javax.security.auth.login.FailedLoginException; import javax.security.auth.login.LoginException; import javax.sql.DataSource; + import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; + import org.jboss.security.SimpleGroup; import org.jboss.security.auth.spi.UsernamePasswordLoginModule; + import org.rhq.enterprise.server.RHQConstants;
/** @@ -94,6 +98,9 @@ public class JDBCLoginModule extends UsernamePasswordLoginModule { @Override protected String getUsersPassword() throws LoginException { String username = getUsername(); + if ("admin".equals(username)) { + throw new FailedLoginException("Cannot log in as overlord"); + } String password = null; Connection conn = null; PreparedStatement ps = null; diff --git a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/core/jaas/JDBCPrincipalCheckLoginModule.java b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/core/jaas/JDBCPrincipalCheckLoginModule.java index f56747a..e862db9 100644 --- a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/core/jaas/JDBCPrincipalCheckLoginModule.java +++ b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/core/jaas/JDBCPrincipalCheckLoginModule.java @@ -87,6 +87,9 @@ public class JDBCPrincipalCheckLoginModule extends UsernamePasswordLoginModule { @Override protected String getUsersPassword() throws LoginException { String username = getUsername(); + if ("admin".equals(username)) { + throw new FailedLoginException("Cannot log in as overlord"); + } String password = getUsernameAndPassword()[1]; // what did the user enter? Connection conn = null; PreparedStatement ps = null;
rhq-commits@lists.fedorahosted.org