glassfish
  1. glassfish
  2. GLASSFISH-16912

getUsernameAndPassword method in SecurityMechanismSelector contains a unchecked cast to PasswordCredential resulting in ClassCastException for custom LoginModules

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 3.1, 3.1.1, 4.0
    • Fix Version/s: 3.1.2_b07
    • Component/s: security
    • Labels:
      None

      Description

      Line 863 of com.sun.enterprise.iiop.security.SecurityMechanismSelector.java contains a unchecked cast to PasswordCredential for all items saved in the subjects private credentials.
      Since it is allowed to add Objects as private credentials (subject.getPrivateCredentials().add(Object cred)) the cast should be checked.
      This results in a ClassCastException for custom LoginModules which save non PasswordCredential in the private credentials set.

      SecurityMechanismSelector.java
      Set privateCredSet = (Set) AccessController.doPrivileged(new PrivilegedAction() {
          public java.lang.Object run() {
            return sub.getPrivateCredentials();
          }
        });
      .....
      .....
      final Iterator it = privateCredSet.iterator();
      for(;it.hasNext();){
        AccessController.doPrivileged(new PrivilegedAction(){
          public java.lang.Object run(){
            PasswordCredential pc = (PasswordCredential) it.next(); // <--- Cast should be checked
            pc.setRealm(realm_name);
            return null;
          }
        });
      }
      

        Activity

        Hide
        kumarjayanti added a comment -

        nithya to fix it in the trunk ASAP

        Show
        kumarjayanti added a comment - nithya to fix it in the trunk ASAP
        Hide
        Nithya Ramakrishnan added a comment -

        Fixed in both into the trunk and 3.1.2 branches

        Show
        Nithya Ramakrishnan added a comment - Fixed in both into the trunk and 3.1.2 branches

          People

          • Assignee:
            Nithya Ramakrishnan
            Reporter:
            snelders
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: