search

roikkuf / gwtsecurity

Automatically exported from code.google.com/p/gwtsecurity
0 stars 0 forks source link

Login fails from LoginBox when password is same as usename #1

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
What steps will reproduce the problem?
1. Modify password of users admin and staff as follows:
    <user-service>
            <user name="admin" password="admin" authorities="ROLE_ADMIN, ROLE_STAFF"/>
            <user name="staff" password="staff" authorities="ROLE_STAFF"/>
        </user-service>
2. Run gssDemo2
3. Click on the 'Send' button next to 'whisperServer secured method(for 
ROLE_ADMIN)'
4. Login Box appears.
5. Enter Account=admin and Password=admin and click on Submit button.
6. Login fails and 'Error prone:Bad creden...' error is displayed in the login 
box.

What is the expected output? What do you see instead?
Expected Output: Login should be successful and Login box should disappear
Observed Output: Login fails and 'Error prone:Bad creden...' error is displayed 
in the login box.

What version of the product are you using? On what operating system?
Product Version: built from trunk using maven
Operating System: Ubuntu 10.10
Web Browser: Firefox and Chrome

Please provide any additional information below.
I monitered the requests sent by the browser using firebug and found that when 
admin/admin (username/password) is sent from login box the request's data is:
7|0|6|http://127.0.0.1:8888/demo2/|15EA1962E9203BB676A17298A13ABB0E|com.gwt.ss.c
lient.GwtLogin|j_gwt_security_check|java.lang.String/2004016611|admin|1|2|3|4|2|
5|5|6|6|
but when admin/user is sent from login box the request's data is:
7|0|7|http://127.0.0.1:8888/demo2/|15EA1962E9203BB676A17298A13ABB0E|com.gwt.ss.c
lient.GwtLogin|j_gwt_security_check|java.lang.String/2004016611|admin|user|1|2|3
|4|2|5|5|6|7|
It seems like GWT compressed the data and used used only one string literal for 
repeated parameters and used two references to it (see |6|6| at end of first 
request and |6|7| at the end of other)

Original issue reported on code.google.com by amitkhan...@gmail.com on 18 Mar 2011 at 2:01

GoogleCodeExporter commented 8 years ago 
The error happen owing to parse payload error,
(payload parsing see 
http://www.gdssecurity.com/l/b/2009/10/08/gwt-rpc-in-a-nutshell/)
I'd modify code about GwtUsernamePasswordAuthority.java,
thank you for your notification.

Original comment by kent.yeh...@gmail.com on 19 Mar 2011 at 1:48

GoogleCodeExporter commented 8 years ago 
Hi

I have a small fix for this issue. I have attached svn diff with this comment. 
I've replaced the code that parses the request payload with the method 
RPC.decodeRequest(). This decodes payload into an RPCRequest, from which we can 
get the parameters.

Regards
Amit Khanna

Original comment by techob...@gmail.com on 19 Mar 2011 at 2:10

Attachments:

GoogleCodeExporter commented 8 years ago 
Hi,Amit Khanna
Thanks for your code modification,
I had added to the source code.

Best Regards
Kent Yeh

Original comment by kent.yeh...@gmail.com on 20 Mar 2011 at 3:34

GoogleCodeExporter commented 8 years ago

Original comment by steven.j...@gmail.com on 9 Jun 2011 at 3:48