You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-dev@portals.apache.org by at...@apache.org on 2005/02/03 02:22:51 UTC
cvs commit: jakarta-jetspeed-2/components/security/src/java/org/apache/jetspeed/security/spi/impl DefaultInternalPasswordCredentialInterceptor.java
ate 2005/02/02 17:22:51
Modified: components/security/src/java/org/apache/jetspeed/security/spi/impl
DefaultInternalPasswordCredentialInterceptor.java
Log:
Invalid stored password is now always set to updateRequired after loading and not yet encoded
so that it can be validated again before an admin sets updateRequired to false again: password has to be valid before that is allowed.
Revision Changes Path
1.4 +21 -5 jakarta-jetspeed-2/components/security/src/java/org/apache/jetspeed/security/spi/impl/DefaultInternalPasswordCredentialInterceptor.java
Index: DefaultInternalPasswordCredentialInterceptor.java
===================================================================
RCS file: /home/cvs/jakarta-jetspeed-2/components/security/src/java/org/apache/jetspeed/security/spi/impl/DefaultInternalPasswordCredentialInterceptor.java,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- DefaultInternalPasswordCredentialInterceptor.java 12 Nov 2004 03:17:46 -0000 1.3
+++ DefaultInternalPasswordCredentialInterceptor.java 3 Feb 2005 01:22:51 -0000 1.4
@@ -43,14 +43,30 @@
throws SecurityException
{
boolean updated = false;
- if (!credential.isEncoded() && pcProvider.getEncoder() != null)
+ if (!credential.isEncoded())
{
+ boolean encode = pcProvider.getEncoder() != null;
if ( pcProvider.getValidator() != null)
{
- pcProvider.getValidator().validate(credential.getValue());
+ try
+ {
+ pcProvider.getValidator().validate(credential.getValue());
+ }
+ catch (SecurityException e)
+ {
+ // database contains an invalid password
+ // allow login (assuming the user knows the invalid value) but enforce an update
+ credential.setUpdateRequired(true);
+ // don't encode it yet to be able to check setUpdateRequired(false)
+ // in DefaultCredentialHandler.setPasswordUpdateRequired
+ encode = false;
+ }
}
- credential.setValue(pcProvider.getEncoder().encode(userName,credential.getValue()));
- credential.setEncoded(true);
+ if ( encode )
+ {
+ credential.setValue(pcProvider.getEncoder().encode(userName,credential.getValue()));
+ credential.setEncoded(true);
+ }
updated = true;
}
return updated;
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: jetspeed-dev-help@jakarta.apache.org