Skip to content
Permalink
Browse files Browse the repository at this point in the history
[FIXED SECURITY-79] Prevent (private security realm) usernames from b…
…eing guessed.
  • Loading branch information
jglick committed Feb 11, 2014
1 parent a0b0050 commit fbf9673
Showing 1 changed file with 11 additions and 2 deletions.
13 changes: 11 additions & 2 deletions core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java
Expand Up @@ -78,6 +78,8 @@
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.MissingResourceException;
import java.util.ResourceBundle;
import java.util.logging.Level;
import java.util.logging.Logger;

Expand Down Expand Up @@ -173,8 +175,15 @@ public Details loadUserByUsername(String username) throws UsernameNotFoundExcept
@Override
protected Details authenticate(String username, String password) throws AuthenticationException {
Details u = loadUserByUsername(username);
if (!u.isPasswordCorrect(password))
throw new BadCredentialsException("Failed to login as "+username);
if (!u.isPasswordCorrect(password)) {
String message;
try {
message = ResourceBundle.getBundle("org.acegisecurity.messages").getString("AbstractUserDetailsAuthenticationProvider.badCredentials");
} catch (MissingResourceException x) {
message = "Bad credentials";
}
throw new BadCredentialsException(message);
}
return u;
}

Expand Down

0 comments on commit fbf9673

Please sign in to comment.