You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by ha...@apache.org on 2008/05/14 11:22:54 UTC
svn commit: r656175 - in /ofbiz/trunk/framework:
base/src/base/org/ofbiz/base/crypto/HashCrypt.java
common/src/org/ofbiz/common/login/LoginServices.java
Author: hansbak
Date: Wed May 14 02:22:54 2008
New Revision: 656175
URL: http://svn.apache.org/viewvc?rev=656175&view=rev
Log:
a better fix than rev 656100
Modified:
ofbiz/trunk/framework/base/src/base/org/ofbiz/base/crypto/HashCrypt.java
ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
Modified: ofbiz/trunk/framework/base/src/base/org/ofbiz/base/crypto/HashCrypt.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/src/base/org/ofbiz/base/crypto/HashCrypt.java?rev=656175&r1=656174&r2=656175&view=diff
==============================================================================
--- ofbiz/trunk/framework/base/src/base/org/ofbiz/base/crypto/HashCrypt.java (original)
+++ ofbiz/trunk/framework/base/src/base/org/ofbiz/base/crypto/HashCrypt.java Wed May 14 02:22:54 2008
@@ -81,7 +81,7 @@
}
public static String removeHashTypePrefix(String hashString) {
- if (UtilValidate.isEmpty(hashString) || hashString.charAt(0) != '{') {
+ if (UtilValidate.isNotEmpty(hashString) || hashString.charAt(0) != '{') {
return hashString;
}
Modified: ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java?rev=656175&r1=656174&r2=656175&view=diff
==============================================================================
--- ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java (original)
+++ ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java Wed May 14 02:22:54 2008
@@ -162,8 +162,7 @@
// if the password.accept.encrypted.and.plain property in security is set to true allow plain or encrypted passwords
// if this is a system account don't bother checking the passwords
if ((userLogin.get("currentPassword") != null &&
- (encodedPassword.equals(userLogin.getString("currentPassword")) ||
- HashCrypt.removeHashTypePrefix(encodedPassword).equals(userLogin.getString("currentPassword")) ||
+ (HashCrypt.removeHashTypePrefix(encodedPassword).equals(userLogin.getString("currentPassword")) ||
HashCrypt.removeHashTypePrefix(encodedPasswordOldFunnyHexEncode).equals(userLogin.getString("currentPassword")) ||
HashCrypt.removeHashTypePrefix(encodedPasswordUsingDbHashType).equals(userLogin.getString("currentPassword")) ||
("true".equals(UtilProperties.getPropertyValue("security.properties", "password.accept.encrypted.and.plain")) && password.equals(userLogin.getString("currentPassword")))))) {
Re: svn commit: r656175 - in /ofbiz/trunk/framework: base/src/base/org/ofbiz/base/crypto/HashCrypt.java common/src/org/ofbiz/common/login/LoginServices.java
Posted by David E Jones <jo...@undersunconsulting.com>.
Hans: thanks for your attention and this, and sorry for delaying the
fix. Login not working after a password change is a pretty serious bug!
The problem was that in the LoginServices.userLogin method/service it
wasn't removing the prefix from both the password entered and the
password from the database (UserLogin.currentPassword).
This last change you made fixed the problem because it effectively
disabled the prefix removal. That can potentially cause other problems
though, so I've changed that back to the prefix removal method works
again, but now it is done on both sides so the comparison will work.
I've tested this based on the changes in SVN rev 656515 and it is
working fine now.
-David
On May 14, 2008, at 3:22 AM, hansbak@apache.org wrote:
> Author: hansbak
> Date: Wed May 14 02:22:54 2008
> New Revision: 656175
>
> URL: http://svn.apache.org/viewvc?rev=656175&view=rev
> Log:
> a better fix than rev 656100
>
> Modified:
> ofbiz/trunk/framework/base/src/base/org/ofbiz/base/crypto/
> HashCrypt.java
> ofbiz/trunk/framework/common/src/org/ofbiz/common/login/
> LoginServices.java
>
> Modified: ofbiz/trunk/framework/base/src/base/org/ofbiz/base/crypto/
> HashCrypt.java
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/src/base/org/ofbiz/base/crypto/HashCrypt.java?rev=656175&r1=656174&r2=656175&view=diff
> =
> =
> =
> =
> =
> =
> =
> =
> ======================================================================
> --- ofbiz/trunk/framework/base/src/base/org/ofbiz/base/crypto/
> HashCrypt.java (original)
> +++ ofbiz/trunk/framework/base/src/base/org/ofbiz/base/crypto/
> HashCrypt.java Wed May 14 02:22:54 2008
> @@ -81,7 +81,7 @@
> }
>
> public static String removeHashTypePrefix(String hashString) {
> - if (UtilValidate.isEmpty(hashString) ||
> hashString.charAt(0) != '{') {
> + if (UtilValidate.isNotEmpty(hashString) ||
> hashString.charAt(0) != '{') {
> return hashString;
> }
>
>
> Modified: ofbiz/trunk/framework/common/src/org/ofbiz/common/login/
> LoginServices.java
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java?rev=656175&r1=656174&r2=656175&view=diff
> =
> =
> =
> =
> =
> =
> =
> =
> ======================================================================
> --- ofbiz/trunk/framework/common/src/org/ofbiz/common/login/
> LoginServices.java (original)
> +++ ofbiz/trunk/framework/common/src/org/ofbiz/common/login/
> LoginServices.java Wed May 14 02:22:54 2008
> @@ -162,8 +162,7 @@
> // if the
> password.accept.encrypted.and.plain property in security is set to
> true allow plain or encrypted passwords
> // if this is a system account don't bother
> checking the passwords
> if ((userLogin.get("currentPassword") !=
> null &&
> -
> (encodedPassword.equals(userLogin.getString("currentPassword")) ||
> -
> HashCrypt
> .removeHashTypePrefix
> (encodedPassword).equals(userLogin.getString("currentPassword")) ||
> +
> (HashCrypt
> .removeHashTypePrefix
> (encodedPassword).equals(userLogin.getString("currentPassword")) ||
>
> HashCrypt
> .removeHashTypePrefix
> (encodedPasswordOldFunnyHexEncode
> ).equals(userLogin.getString("currentPassword")) ||
>
> HashCrypt
> .removeHashTypePrefix
> (encodedPasswordUsingDbHashType
> ).equals(userLogin.getString("currentPassword")) ||
>
> ("true
> ".equals(UtilProperties.getPropertyValue("security.properties",
> "password.accept.encrypted.and.plain")) &&
> password.equals(userLogin.getString("currentPassword")))))) {
>
>
Re: svn commit: r656175 - in /ofbiz/trunk/framework: base/src/base/org/ofbiz/base/crypto/HashCrypt.java common/src/org/ofbiz/common/login/LoginServices.java
Posted by David E Jones <jo...@undersunconsulting.com>.
Hans: thanks for your attention and this, and sorry for delaying the
fix. Login not working after a password change is a pretty serious bug!
The problem was that in the LoginServices.userLogin method/service it
wasn't removing the prefix from both the password entered and the
password from the database (UserLogin.currentPassword).
This last change you made fixed the problem because it effectively
disabled the prefix removal. That can potentially cause other problems
though, so I've changed that back to the prefix removal method works
again, but now it is done on both sides so the comparison will work.
I've tested this based on the changes in SVN rev 656515 and it is
working fine now.
-David
On May 14, 2008, at 3:22 AM, hansbak@apache.org wrote:
> Author: hansbak
> Date: Wed May 14 02:22:54 2008
> New Revision: 656175
>
> URL: http://svn.apache.org/viewvc?rev=656175&view=rev
> Log:
> a better fix than rev 656100
>
> Modified:
> ofbiz/trunk/framework/base/src/base/org/ofbiz/base/crypto/
> HashCrypt.java
> ofbiz/trunk/framework/common/src/org/ofbiz/common/login/
> LoginServices.java
>
> Modified: ofbiz/trunk/framework/base/src/base/org/ofbiz/base/crypto/
> HashCrypt.java
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/src/base/org/ofbiz/base/crypto/HashCrypt.java?rev=656175&r1=656174&r2=656175&view=diff
> =
> =
> =
> =
> =
> =
> =
> =
> ======================================================================
> --- ofbiz/trunk/framework/base/src/base/org/ofbiz/base/crypto/
> HashCrypt.java (original)
> +++ ofbiz/trunk/framework/base/src/base/org/ofbiz/base/crypto/
> HashCrypt.java Wed May 14 02:22:54 2008
> @@ -81,7 +81,7 @@
> }
>
> public static String removeHashTypePrefix(String hashString) {
> - if (UtilValidate.isEmpty(hashString) ||
> hashString.charAt(0) != '{') {
> + if (UtilValidate.isNotEmpty(hashString) ||
> hashString.charAt(0) != '{') {
> return hashString;
> }
>
>
> Modified: ofbiz/trunk/framework/common/src/org/ofbiz/common/login/
> LoginServices.java
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java?rev=656175&r1=656174&r2=656175&view=diff
> =
> =
> =
> =
> =
> =
> =
> =
> ======================================================================
> --- ofbiz/trunk/framework/common/src/org/ofbiz/common/login/
> LoginServices.java (original)
> +++ ofbiz/trunk/framework/common/src/org/ofbiz/common/login/
> LoginServices.java Wed May 14 02:22:54 2008
> @@ -162,8 +162,7 @@
> // if the
> password.accept.encrypted.and.plain property in security is set to
> true allow plain or encrypted passwords
> // if this is a system account don't bother
> checking the passwords
> if ((userLogin.get("currentPassword") !=
> null &&
> -
> (encodedPassword.equals(userLogin.getString("currentPassword")) ||
> -
> HashCrypt
> .removeHashTypePrefix
> (encodedPassword).equals(userLogin.getString("currentPassword")) ||
> +
> (HashCrypt
> .removeHashTypePrefix
> (encodedPassword).equals(userLogin.getString("currentPassword")) ||
>
> HashCrypt
> .removeHashTypePrefix
> (encodedPasswordOldFunnyHexEncode
> ).equals(userLogin.getString("currentPassword")) ||
>
> HashCrypt
> .removeHashTypePrefix
> (encodedPasswordUsingDbHashType
> ).equals(userLogin.getString("currentPassword")) ||
>
> ("true
> ".equals(UtilProperties.getPropertyValue("security.properties",
> "password.accept.encrypted.and.plain")) &&
> password.equals(userLogin.getString("currentPassword")))))) {
>
>