Hi Dies,
I am looking after the security implementation in GF now. Please
find my comments below...
Dies Koper wrote:
> Hi Ron,
>
> About these issues I mentioned last month, you said the right people
> are looking at them. Could you tell me who you were referring to?
> I have raised two issues in the bug tracker as you suggested but they
> did not get assigned.
>
> https://glassfish.dev.java.net/issues/show_bug.cgi?id=7133
> https://glassfish.dev.java.net/issues/show_bug.cgi?id=7134
>
> From your answer, I did not quite understand what you think is the way
> it should work:
>
> For #7133, do you think passwords of less than 8 characters should not
> be allowed (i.e. preferable to add the restriction to the Admin
> Console too)?
>
It should be possible to disallow passwords less than 8 chars using a
configurable Admin Policy/Profile. The Realm Backend today does not
check the password lengths and it cannot check.
The reason i say it cannot check is that we do not support User
Management for Most PreDefined Realms in GF V2 and for Custom User
Defined Realms we have no control on what is a valid username or valid
password for that realm. Only the Default GF File Realm supports user
management and there we have the following code.
1. Usernames are checked for validity when the admin is used to create
a File User :
// Valid non-alphanumeric/whitespace chars in user/group name
public static final String MISC_VALID_CHARS="_-.";
private static boolean isValid(String s, boolean userName)
{
for (int i=0; i<s.length(); i++) {
char c = s.charAt(i);
if (!Character.isLetterOrDigit(c) &&
!Character.isWhitespace(c) &&
MISC_VALID_CHARS.indexOf(c) == -1) {
if (userName && (c == '@')){
continue;
}
return false;
}
}
return true;
}
And for passwords the only validation done is
password.equals(password.trim())
But i agree to your comments that the Admin Console and asadmin should
really show the same behaviour in all cases.
> For #7134, do you think multibyte characters in user names should not
> be allowed (i.e. preferable to add the restriction to the Admin Console)?
>
Again here the backend realm interface accepts a String for Username and
Password Respectively. Since a String is a UTF-16 entity it should be
possible to have multibyte characters for usernames in general. However
as seen in the code above it appears the Default FileRealm
implementation in GF is disallowing that. And so when the Admin code
uses the FileRealm's addUser method to create a new FileUser it would
get an exception if the username does not comply to the rules in the
code above. So i am not sure if Admin Console and asadmin are using any
of these methods or have their own validation. I am CCing kedar and
anissa for their comments.
> And do you think the same should apply for passwords (i.e. preferable
> to add the restriction to both the Admin Console and asadmin
> change-master-password)?
>
I agree that any behaviour has to be consistent between Asadmin and
Admin Console.
regards,
kumar
> Thanks,
> Dies
>
>
>>> Ron Monzillo wrote:
>>>
>>>> Dies Koper wrote:
>>>>
>>>>> Hi Shing Wai, Ron,
>>>>>
>>>>> I believe you are the owner of the modules the questions I posed
>>>>> last week relate to.
>>>>> I have another related question and was hoping you could help me.
>>>>>
>>>>> 3.
>>>>> I confirmed that I can use multibyte characters in a password
>>>>> (tried with asadmin change-master-password). Why do you allow
>>>>> non-ASCII characters for the password but not for the user name?
>>>>>
>>>> Dies,
>>>>
>>>> This appears to be an over-sight or limitation of the implementation.
>>>>
>>>> The module owner for security has changed, and at least the first 2
>>>> issues you raised also involve the admin module. I believe the
>>>> right people are looking into this.
>>>>
>>>> If you have not done so already, please create an issue as that
>>>> will ensure that it gets assigned and addressed.
>>>>
>>>> Ron
>>>>
>>>>> Thanks!
>>>>> Dies
>>>>>
>>>>>
>>>>> Dies Koper wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> We are trying to determine what characters GlassFish supports for
>>>>>> use as
>>>>>> in User IDs and passwords in File realm. The characters accepted
>>>>>> when
>>>>>> using asadmin are different from when using the Admin console.
>>>>>> I have a few questions.
>>>>>>
>>>>>> 1.
>>>>>> The Admin Console has the following comment:
>>>>>> Name of a user to be granted access to this realm; name can be
>>>>>> up to
>>>>>> 255 characters, must contain only alphanumeric, underscore, dash,
>>>>>> or dot
>>>>>> characters
>>>>>>
>>>>>> It is my understanding that "alphanumeric" does not include
>>>>>> multibyte
>>>>>> (Japanese) characters. However, if I include other symbols ('+',
>>>>>> etc.)
>>>>>> I get an error message while if I include Japanese characters
>>>>>> (multibyte), they are accepted.
>>>>>> Are multibyte characters supported here or not?
>>>>>>
>>>>>> 2.
>>>>>> Using the asadmin change-admin-password command you cannot change a
>>>>>> password from or to something less than 8 characters. Using the
>>>>>> Admin
>>>>>> Console (Security>Realms>admin-realm) you /can/ change the
>>>>>> password to
>>>>>> something less than 8 characters (and therefore make it
>>>>>> impossible to
>>>>>> change afterwards with the asadmin command).
>>>>>> Wouldn't it be better to have the limitation be enforced
>>>>>> consistently
>>>>>> (or not at all)?
>>>>>>
>>>>>> Thanks,
>>>>>> Dies
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe_at_glassfish.dev.java.net
>>> For additional commands, e-mail: dev-help_at_glassfish.dev.java.net
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe_at_glassfish.dev.java.net
>> For additional commands, e-mail: dev-help_at_glassfish.dev.java.net
>>
>>
>>
>