You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-dev@portals.apache.org by at...@apache.org on 2005/02/03 02:22:51 UTC

cvs commit: jakarta-jetspeed-2/components/security/src/java/org/apache/jetspeed/security/spi/impl DefaultInternalPasswordCredentialInterceptor.java

ate         2005/02/02 17:22:51

  Modified:    components/security/src/java/org/apache/jetspeed/security/spi/impl
                        DefaultInternalPasswordCredentialInterceptor.java
  Log:
  Invalid stored password is now always set to updateRequired after loading and not yet encoded
  so that it can be validated again before an admin sets updateRequired to false again: password has to be valid before that is allowed.
  
  Revision  Changes    Path
  1.4       +21 -5     jakarta-jetspeed-2/components/security/src/java/org/apache/jetspeed/security/spi/impl/DefaultInternalPasswordCredentialInterceptor.java
  
  Index: DefaultInternalPasswordCredentialInterceptor.java
  ===================================================================
  RCS file: /home/cvs/jakarta-jetspeed-2/components/security/src/java/org/apache/jetspeed/security/spi/impl/DefaultInternalPasswordCredentialInterceptor.java,v
  retrieving revision 1.3
  retrieving revision 1.4
  diff -u -r1.3 -r1.4
  --- DefaultInternalPasswordCredentialInterceptor.java	12 Nov 2004 03:17:46 -0000	1.3
  +++ DefaultInternalPasswordCredentialInterceptor.java	3 Feb 2005 01:22:51 -0000	1.4
  @@ -43,14 +43,30 @@
               throws SecurityException
       {
           boolean updated = false;
  -        if (!credential.isEncoded() && pcProvider.getEncoder() != null)
  +        if (!credential.isEncoded())
           {
  +            boolean encode = pcProvider.getEncoder() != null;
               if ( pcProvider.getValidator() != null)
               {
  -                pcProvider.getValidator().validate(credential.getValue());
  +                try
  +                {
  +                    pcProvider.getValidator().validate(credential.getValue());
  +                }
  +                catch (SecurityException e)
  +                {
  +                    // database contains an invalid password
  +                    // allow login (assuming the user knows the invalid value) but enforce an update
  +                    credential.setUpdateRequired(true);
  +                    // don't encode it yet to be able to check setUpdateRequired(false)
  +                    // in DefaultCredentialHandler.setPasswordUpdateRequired
  +                    encode = false;
  +                }
               }            
  -            credential.setValue(pcProvider.getEncoder().encode(userName,credential.getValue()));
  -            credential.setEncoded(true);
  +            if ( encode )
  +            {
  +                credential.setValue(pcProvider.getEncoder().encode(userName,credential.getValue()));
  +                credential.setEncoded(true);
  +            }
               updated = true;
           }
           return updated;
  
  
  

---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: jetspeed-dev-help@jakarta.apache.org