提交 fbf96734 编写于 作者: J Jesse Glick

[FIXED SECURITY-79] Prevent (private security realm) usernames from being guessed.

上级 a0b00508
......@@ -78,6 +78,8 @@ import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.MissingResourceException;
import java.util.ResourceBundle;
import java.util.logging.Level;
import java.util.logging.Logger;
......@@ -173,8 +175,15 @@ public class HudsonPrivateSecurityRealm extends AbstractPasswordBasedSecurityRea
@Override
protected Details authenticate(String username, String password) throws AuthenticationException {
Details u = loadUserByUsername(username);
if (!u.isPasswordCorrect(password))
throw new BadCredentialsException("Failed to login as "+username);
if (!u.isPasswordCorrect(password)) {
String message;
try {
message = ResourceBundle.getBundle("org.acegisecurity.messages").getString("AbstractUserDetailsAuthenticationProvider.badCredentials");
} catch (MissingResourceException x) {
message = "Bad credentials";
}
throw new BadCredentialsException(message);
}
return u;
}
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册