Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check for empty password before calling PlatformUser #78

Merged
merged 2 commits into from
Nov 17, 2019
Merged

Check for empty password before calling PlatformUser #78

merged 2 commits into from
Nov 17, 2019

Conversation

plavjanik
Copy link
Contributor

@plavjanik plavjanik commented Nov 17, 2019
edited

Checks for an empty password before calling PlatformUser.authenticate() method from IBM JDK that could succeed in this situation. This has been a valid behavior of the underlying BPX4PWD callable service:

The name of a fullword that contains the length of the Pass parameter. This length must be between 1 and 8 characters for a password or PassTicket or between 9 and 100 characters for a password phrase. A length of zero indicates that the Pass parameter is to be ignored and causes a SURROGAT class check.

So it could succeed with an empty password in cases when the server user ID passed the SURROGAT class check.

Since it is a highly unexpected behavior that is documented three levels below the org.zowe.commons.zos.security.platform.PlatformUser.authenticate() documentation, the org.zowe.commons.zos.security.platformPlatformUser.authenticate() will fail with errno EINVAL (121). If the SURROGAT class check is needed in future then it will be implemented a special method to prevent this confusion.

Resolves #72

@plavjanik
Only summary message for kept entries in JarPatcher
934c869 
Signed-off-by: Petr Plavjanik <plavjanik@gmail.com>
@plavjanik plavjanik mentioned this pull request Nov 17, 2019
Closed
@plavjanik
Empty password is invalid
09ebc2f 
Signed-off-by: Petr Plavjanik <plavjanik@gmail.com>
dkelosky
dkelosky approved these changes Nov 17, 2019
View reviewed changes
Copy link
Contributor

@dkelosky dkelosky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you

@plavjanik plavjanik merged commit bd259cf into master Nov 17, 2019
@plavjanik plavjanik deleted the empty-pw branch November 17, 2019 15:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dkelosky dkelosky dkelosky approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

SafPlatformUser - Valid Username Blank Password
2 participants
@plavjanik @dkelosky