Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-688

Elytron Properties realm parses password with "=" incorrectly

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Major Major
    • None
    • 1.1.0.Beta11
    • Realms
    • None
    • Hide

      1) prepare properties files

      • add line admin=pass=123 to $SERVER_HOME/standalone/configuration/application-users.properties
      • add line admin=JBossAdmin to $SERVER_HOME/standalone/configuration/application-roles.properties

      2) start server with standalone-elytron.xml and set ApplicationRealm to use plain-text files:

      /subsystem=elytron/properties-realm=ApplicationRealm:write-attribute(name=plain-text,value=true)

      3) reload server and deploy secured-app.war (see attachments)

      4) try to login to http://localhost:8080/secured-app/protected/SimpleSecuredServlet

      • use username admin with password pass=123 -> access is incorrectly denied, in correct behavior authentication should succeed
      • use username admin=pass with password 123 -> http code 403 is returned which means that authentication succeeded but user has not assigned role. In correct behavior authentication should fail.
      Show
      1) prepare properties files add line admin=pass=123 to $SERVER_HOME/standalone/configuration/application-users.properties add line admin=JBossAdmin to $SERVER_HOME/standalone/configuration/application-roles.properties 2) start server with standalone-elytron.xml and set ApplicationRealm to use plain-text files: /subsystem=elytron/properties-realm=ApplicationRealm:write-attribute(name=plain-text,value= true ) 3) reload server and deploy secured-app.war (see attachments) 4) try to login to http://localhost:8080/secured-app/protected/SimpleSecuredServlet use username admin with password pass=123 -> access is incorrectly denied, in correct behavior authentication should succeed use username admin=pass with password 123 -> http code 403 is returned which means that authentication succeeded but user has not assigned role. In correct behavior authentication should fail.

      In case when Elytron properties-realm uses plain-text properties file and password includes = sign then username/password is parsing incorrectly. In case when properties file contains line as A=B=C then Elytron parses it as user A=B with password C. Correct behavior should be user A with password B=C.

            dtikhomi@redhat.com Dmitrii Tikhomirov
            olukas Ondrej Lukas (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: