Make timing attacks against the Realm implementations harder. (schultz)

git-svn-id: https://svn.apache.org/repos/asf/tomcat/tc7.0.x/trunk@1758502 13f79535-47bb-0310-9956-ffa450edef68

Author: markt-asf

java/org/apache/catalina/realm/DataSourceRealm.java

@@ -5,9 +5,9 @@
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
- * 
+ *
  *      http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -271,13 +271,13 @@ public String getInfo() {
      */
     @Override
     public Principal authenticate(String username, String credentials) {
-        
+
         // No user or no credentials
         // Can't possibly authenticate, don't bother the database then
         if (username == null || credentials == null) {
             return null;
         }
-        
+
         Connection dbConnection = null;
 
         // Ensure that we have an open database connection
@@ -286,7 +286,7 @@ public Principal authenticate(String username, String credentials) {
             // If the db connection open fails, return "not authenticated"
             return null;
         }
-        
+
         try
         {
             // Acquire a Principal object for this user
@@ -331,6 +331,8 @@ protected Principal authenticate(Connection dbConnection,
 
         if(dbCredentials == null) {
             // User was not found in the database.
+            // Waste a bit of time as not to reveal that the user does not exist.
+            compareCredentials(credentials, getClass().getName());
 
             if (containerLog.isTraceEnabled())
                 containerLog.trace(sm.getString("dataSourceRealm.authenticateFailure",
@@ -374,7 +376,7 @@ protected void close(Connection dbConnection) {
         try {
             if (!dbConnection.getAutoCommit()) {
                 dbConnection.commit();
-            }            
+            }
         } catch (SQLException e) {
             containerLog.error("Exception committing connection before closing:", e);
         }
@@ -408,7 +410,7 @@ protected Connection open() {
         } catch (Exception e) {
             // Log the problem for posterity
             containerLog.error(sm.getString("dataSourceRealm.exception"), e);
-        }  
+        }
         return null;
     }
 
@@ -437,18 +439,18 @@ protected String getPassword(String username) {
         }
 
         try {
-            return getPassword(dbConnection, username);            
+            return getPassword(dbConnection, username);
         } finally {
             close(dbConnection);
         }
     }
-    
+
     /**
      * Return the password associated with the given principal's user name.
      * @param dbConnection The database connection to be used
      * @param username Username for which password should be retrieved
      */
-    protected String getPassword(Connection dbConnection, 
+    protected String getPassword(Connection dbConnection,
                                  String username) {
 
         ResultSet rs = null;
@@ -463,7 +465,7 @@ protected String getPassword(Connection dbConnection,
             }
 
             return (dbCredentials != null) ? dbCredentials.trim() : null;
-            
+
         } catch(SQLException e) {
             containerLog.error(
                     sm.getString("dataSourceRealm.getPassword.exception",
@@ -480,10 +482,10 @@ protected String getPassword(Connection dbConnection,
                     containerLog.error(
                         sm.getString("dataSourceRealm.getPassword.exception",
                              username), e);
-                
+
             }
         }
-        
+
         return null;
     }
 
@@ -527,15 +529,15 @@ protected ArrayList<String> getRoles(String username) {
             close(dbConnection);
         }
     }
-    
+
     /**
      * Return the roles associated with the given user name
      * @param dbConnection The database connection to be used
      * @param username Username for which roles should be retrieved
      */
     protected ArrayList<String> getRoles(Connection dbConnection,
                                      String username) {
-        
+
         if (allRolesMode != AllRolesMode.STRICT_MODE && !isRoleStoreDefined()) {
             // Using an authentication only configuration and no role store has
             // been defined so don't spend cycles looking
@@ -545,12 +547,12 @@ protected ArrayList<String> getRoles(Connection dbConnection,
         ResultSet rs = null;
         PreparedStatement stmt = null;
         ArrayList<String> list = null;
-        
+
         try {
             stmt = roles(dbConnection, username);
             rs = stmt.executeQuery();
             list = new ArrayList<String>();
-            
+
             while (rs.next()) {
                 String role = rs.getString(1);
                 if (role != null) {
@@ -576,7 +578,7 @@ protected ArrayList<String> getRoles(Connection dbConnection,
                                      username), e);
             }
         }
-        
+
         return null;
     }
 
@@ -600,7 +602,7 @@ private PreparedStatement credentials(Connection dbConnection,
         return (credentials);
 
     }
-    
+
     /**
      * Return a PreparedStatement configured to perform the SELECT required
      * to retrieve user roles for the specified username.
@@ -613,7 +615,7 @@ private PreparedStatement credentials(Connection dbConnection,
     private PreparedStatement roles(Connection dbConnection, String username)
         throws SQLException {
 
-        PreparedStatement roles = 
+        PreparedStatement roles =
             dbConnection.prepareStatement(preparedRoles);
 
         roles.setString(1, username);
@@ -659,7 +661,7 @@ protected void startInternal() throws LifecycleException {
         temp.append(userNameCol);
         temp.append(" = ?");
         preparedCredentials = temp.toString();
-        
+
         super.startInternal();
     }
 }

java/org/apache/catalina/realm/JDBCRealm.java

@@ -409,6 +409,8 @@ public synchronized Principal authenticate(Connection dbConnection,
 
         if (dbCredentials == null) {
             // User was not found in the database.
+            // Waste a bit of time as not to reveal that the user does not exist.
+            compareCredentials(credentials, getClass().getName());
 
             if (containerLog.isTraceEnabled())
                 containerLog.trace(sm.getString("jdbcRealm.authenticateFailure",

java/org/apache/catalina/realm/MemoryRealm.java

@@ -5,9 +5,9 @@
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
- * 
+ *
  *      http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -150,6 +150,10 @@ public Principal authenticate(String username, String credentials) {
         GenericPrincipal principal = principals.get(username);
 
         if (principal == null || principal.getPassword() == null) {
+            // User was not found in the database or the password was null
+            // Waste a bit of time as not to reveal that the user does not exist.
+            compareCredentials(credentials, getClass().getName());
+
             if (log.isDebugEnabled())
                 log.debug(sm.getString("memoryRealm.authenticateFailure", username));
             return null;