[MGNLEE-594] Empty password check no longer works Created: 10/Jan/20  Updated: 17/Nov/20  Resolved: 17/Nov/20

Status: Closed
Project: Magnolia DX Core
Component/s: None
Affects Version/s: 5.7, 6.1
Fix Version/s: None

Type: Bug Priority: Neutral
Reporter: Richard Unger Assignee: Jesus Alonso
Resolution: Cannot Reproduce Votes: 0
Labels: maintenance, security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

LFRZ


Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:
Sprint: Maintenance 33
Story Points: 1

 Description   

Magnolia JCRAuthenticationModule implements a check for empty passwords, see

https://git.magnolia-cms.com/projects/PLATFORM/repos/main.pub/browse/magnolia-jaas/src/main/java/info/magnolia/jaas/sp/jcr/JCRAuthenticationModule.java#156

This check is no longer working correctly. It checks for empty strings, but since the change to Hashed/BCrypted passwords, an empty password results in a non-empty hash string, and this check does not catch it.

The check needs to be implemented against the decrypted password.



 Comments   
Comment by Mercedes Iruela [ 15/Nov/20 ]

The issue is not longer reproducible since Magnolia 5.7.6, maybe fixed by MAGNOLIA-7632. (tested in Magnolia enterprise pro and Magnolia community)

Comment by Federico Grilli [ 17/Nov/20 ]

Closing the issue as no longer reproducible.

Generated at Mon Feb 12 05:31:29 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.