You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@turbine.apache.org by Ilan Azbel <ia...@mdio.net> on 2004/05/07 11:41:21 UTC
using hashed passwords instead of clearext passwords
Hello, how does one force Turbine to store hashed passwords in the database
instead of cleartext passwords?
Ilan
---------------------------------------------------------------------
To unsubscribe, e-mail: turbine-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: turbine-user-help@jakarta.apache.org
RE: using hashed passwords instead of clearext passwords
Posted by Jeffery Painter <pa...@kiasoft.com>.
You need to use the TurbineSecurity class.
If you TurbineResources.properties file is setup to use the encrypted
password service, TurbineSecurity will use that.
import org.apache.turbine.services.security.TurbineSecurity
I have a password reset function called doChange() that allows my users to
update their own password. I stripped it down for brevity
/**
* force update on user password
*/
public void doChange(RunData data, Context context)
throws Exception
{
String newPassword =
data.getParameters().getString("newPassword").trim();
String confirmNewPassword =
data.getParameters().getString("confirmNewPassword").trim();
if (!newPassword.equals(confirmNewPassword)) {
data.setMessage("Your password does not match the " +
"confirmation, please try again.");
return;
}
else {
try {
// forcePassword handles encrypting new password
IpmUser user = (IpmUser) data.getUser();
TurbineSecurity.forcePassword(user, newPassword);
data.setMessage("Your password has been changed.");
}
catch (Exception e) {
Log.error("PasswordReset doChange error: " +
e.toString());
data.setMessage("Your password was not changed due to " +
" some error in the system. Please alert the administrator.");
}
}
}
On Tue, 11 May 2004, Ilan Azbel wrote:
> Hi,
>
> I have done what you have said, but the password still get stored in
> cleartext.
>
> Just to clarify what I am doing:
>
> 1) services.SecurityService.secure.passwords=true
> 2) install commons-codec-1.1
> 3) When I add a user I do the following:
> TurbineUser newUser = new TurbineUser();
> newUser.setEmail("myemail@here.there");
> newUser.setFirstName("ilan");
> newUser.setLastName("azbel");
> newUser.setPasswordValue("mypassword");
> newUser.setLoginName("ilan");
> newUser.save();
>
> Is the above correct? (I am new to Turbine so I am not sure).
>
> Ilan
>
>
>
>
>
> > -----Original Message-----
> > From: David Demner [mailto:turbine@demner.com]
> > Sent: 07 May 2004 04:53
> > To: 'Turbine Users List'
> > Subject: RE: using hashed passwords instead of clearext passwords
> >
> >
> > Hi Ilan,
> >
> > Set services.SecurityService.secure.passwords=true in your
> > TurbineResources.properties. Also you'll need to add
> > commons-codec-1.1 (NOT
> > the most recent version) to the classpath.
> >
> > Good luck,
> >
> > David
> >
> > -----Original Message-----
> > From: Ilan Azbel [mailto:iazbel@mdio.net]
> > Sent: Friday May 7, 2004 2:41 AM
> > To: Turbine-User
> > Subject: using hashed passwords instead of clearext passwords
> >
> >
> > Hello, how does one force Turbine to store hashed passwords in
> > the database
> > instead of cleartext passwords?
> >
> > Ilan
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: turbine-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: turbine-user-help@jakarta.apache.org
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: turbine-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: turbine-user-help@jakarta.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: turbine-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: turbine-user-help@jakarta.apache.org
>
--
Regards,
Jeffery Painter
President
Kiasoft, Inc. (910) 254-9383 ext 129
- --
painter@kiasoft.com http://kiasoft.com
PGP FP: 9CE8 83A2 33FA 32B1 0AB1 4E62 E4CB E4DA 5913 EFBC
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE/qEQE5Mvk2lkT77wRAnMJAJ9vJ6qOkg/mvqqIpz7troCEQJ8bFACglu/U
YNXabx7DZOV2Hd9LwSTmGpY=
=dWiu
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: turbine-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: turbine-user-help@jakarta.apache.org
RE: changing username while being logged in
Posted by Ilan Azbel <ia...@mdio.net>.
Although not ideal, I have found a quick hack to get around this problem.
All I do is create an sql connection to the database and execute an "UPDATE"
statement to change the username.
Then I execute the following commands (u is the current user from RunData):
u.setUserName("New UserName");
TurbineSecurity.saveUser(u);
Thanks for all the help.
Ilan
> -----Original Message-----
> From: Ilan Azbel [mailto:iazbel@mdio.net]
> Sent: 12 May 2004 10:43
> To: Turbine Users List
> Subject: RE: changing username while being logged in
>
>
> Would it not be simpler to just add a new user, then assume this
> new user's
> identity?
>
> What code would I use to get one user to assume another user's identity?
>
> Ilan
>
>
>
> > -----Original Message-----
> > From: Jeffery Painter [mailto:painter@kiasoft.com]
> > Sent: 11 May 2004 08:34
> > To: Turbine Users List
> > Subject: Re: changing username while being logged in
> >
> >
> >
> > You may want to do some history searching on the mail list archives for
> > related issues with changing the username while logged in.
> >
> > TurbineSecurity I believe tries to do an update on the user
> once the user
> > logs out and if the user name has changed, it will think that
> it needs to
> > create a new user account (since it will default to finding an unmatched
> > username on your user object)
> >
> > most of the security service is related to the username as the primary
> > key, so you will need to be careful for putting together a solution that
> > does not create multiple users and instead just updates the username as
> > you wish.
> >
> > be sure to check if the username they wish to change to isn't being used
> > already, or it could cause even more problems.
> >
> > related thread from the past:
> >
> > http://marc.theaimsgroup.com/?l=turbine-user&m=104405212018687&w=2
> >
> > just looking at your code, it looks like you are attempting to
> remove the
> > user before updating the user.. I don't think this is what you
> want to do
> >
> > Jeff Painter
> >
> >
> > On Tue, 11 May 2004, Ilan Azbel wrote:
> >
> > > Hello,
> > >
> > > Is it possible for users to change their own username while
> > being logged in?
> > > If so, how?
> > >
> > > I do the following with little success (truncated version):
> > >
> > > TurbineSecurity.removeUser(u);
> > > org.apache.turbine.om.security.TurbineUser NewUser = new
> > > org.apache.turbine.om.security.TurbineUser();
> > > NewUser.setEmail("my@email.address");
> > > NewUser.setFirstName("ilan");
> > > NewUser.setLastName("azbel");
> > > NewUser.setUserName("newusername");
> > > TurbineSecurity.addUser(NewUser, pp.getString("Password"));
> > > TurbineSecurity.grant(NewUser, TurbineSecurity.getGlobalGroup(),
> > >
> > TurbineSecurity.getRole("turbine_root"));
> > >
> data.setUser(TurbineSecurity.getAuthenticatedUser(NewUser.getUserName(),
> > > "pwd");
> > >
> > > Ilan
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: turbine-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: turbine-user-help@jakarta.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: turbine-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: turbine-user-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: turbine-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: turbine-user-help@jakarta.apache.org
RE: changing username while being logged in
Posted by Ilan Azbel <ia...@mdio.net>.
Would it not be simpler to just add a new user, then assume this new user's
identity?
What code would I use to get one user to assume another user's identity?
Ilan
> -----Original Message-----
> From: Jeffery Painter [mailto:painter@kiasoft.com]
> Sent: 11 May 2004 08:34
> To: Turbine Users List
> Subject: Re: changing username while being logged in
>
>
>
> You may want to do some history searching on the mail list archives for
> related issues with changing the username while logged in.
>
> TurbineSecurity I believe tries to do an update on the user once the user
> logs out and if the user name has changed, it will think that it needs to
> create a new user account (since it will default to finding an unmatched
> username on your user object)
>
> most of the security service is related to the username as the primary
> key, so you will need to be careful for putting together a solution that
> does not create multiple users and instead just updates the username as
> you wish.
>
> be sure to check if the username they wish to change to isn't being used
> already, or it could cause even more problems.
>
> related thread from the past:
>
> http://marc.theaimsgroup.com/?l=turbine-user&m=104405212018687&w=2
>
> just looking at your code, it looks like you are attempting to remove the
> user before updating the user.. I don't think this is what you want to do
>
> Jeff Painter
>
>
> On Tue, 11 May 2004, Ilan Azbel wrote:
>
> > Hello,
> >
> > Is it possible for users to change their own username while
> being logged in?
> > If so, how?
> >
> > I do the following with little success (truncated version):
> >
> > TurbineSecurity.removeUser(u);
> > org.apache.turbine.om.security.TurbineUser NewUser = new
> > org.apache.turbine.om.security.TurbineUser();
> > NewUser.setEmail("my@email.address");
> > NewUser.setFirstName("ilan");
> > NewUser.setLastName("azbel");
> > NewUser.setUserName("newusername");
> > TurbineSecurity.addUser(NewUser, pp.getString("Password"));
> > TurbineSecurity.grant(NewUser, TurbineSecurity.getGlobalGroup(),
> >
> TurbineSecurity.getRole("turbine_root"));
> > data.setUser(TurbineSecurity.getAuthenticatedUser(NewUser.getUserName(),
> > "pwd");
> >
> > Ilan
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: turbine-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: turbine-user-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: turbine-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: turbine-user-help@jakarta.apache.org
Re: changing username while being logged in
Posted by Jeffery Painter <pa...@kiasoft.com>.
You may want to do some history searching on the mail list archives for
related issues with changing the username while logged in.
TurbineSecurity I believe tries to do an update on the user once the user
logs out and if the user name has changed, it will think that it needs to
create a new user account (since it will default to finding an unmatched
username on your user object)
most of the security service is related to the username as the primary
key, so you will need to be careful for putting together a solution that
does not create multiple users and instead just updates the username as
you wish.
be sure to check if the username they wish to change to isn't being used
already, or it could cause even more problems.
related thread from the past:
http://marc.theaimsgroup.com/?l=turbine-user&m=104405212018687&w=2
just looking at your code, it looks like you are attempting to remove the
user before updating the user.. I don't think this is what you want to do
Jeff Painter
On Tue, 11 May 2004, Ilan Azbel wrote:
> Hello,
>
> Is it possible for users to change their own username while being logged in?
> If so, how?
>
> I do the following with little success (truncated version):
>
> TurbineSecurity.removeUser(u);
> org.apache.turbine.om.security.TurbineUser NewUser = new
> org.apache.turbine.om.security.TurbineUser();
> NewUser.setEmail("my@email.address");
> NewUser.setFirstName("ilan");
> NewUser.setLastName("azbel");
> NewUser.setUserName("newusername");
> TurbineSecurity.addUser(NewUser, pp.getString("Password"));
> TurbineSecurity.grant(NewUser, TurbineSecurity.getGlobalGroup(),
> TurbineSecurity.getRole("turbine_root"));
> data.setUser(TurbineSecurity.getAuthenticatedUser(NewUser.getUserName(),
> "pwd");
>
> Ilan
---------------------------------------------------------------------
To unsubscribe, e-mail: turbine-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: turbine-user-help@jakarta.apache.org
changing username while being logged in
Posted by Ilan Azbel <ia...@mdio.net>.
Hello,
Is it possible for users to change their own username while being logged in?
If so, how?
I do the following with little success (truncated version):
TurbineSecurity.removeUser(u);
org.apache.turbine.om.security.TurbineUser NewUser = new
org.apache.turbine.om.security.TurbineUser();
NewUser.setEmail("my@email.address");
NewUser.setFirstName("ilan");
NewUser.setLastName("azbel");
NewUser.setUserName("newusername");
TurbineSecurity.addUser(NewUser, pp.getString("Password"));
TurbineSecurity.grant(NewUser, TurbineSecurity.getGlobalGroup(),
TurbineSecurity.getRole("turbine_root"));
data.setUser(TurbineSecurity.getAuthenticatedUser(NewUser.getUserName(),
"pwd");
Ilan
---------------------------------------------------------------------
To unsubscribe, e-mail: turbine-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: turbine-user-help@jakarta.apache.org
RE: using hashed passwords instead of clearext passwords
Posted by Ilan Azbel <ia...@mdio.net>.
Hi,
I have done what you have said, but the password still get stored in
cleartext.
Just to clarify what I am doing:
1) services.SecurityService.secure.passwords=true
2) install commons-codec-1.1
3) When I add a user I do the following:
TurbineUser newUser = new TurbineUser();
newUser.setEmail("myemail@here.there");
newUser.setFirstName("ilan");
newUser.setLastName("azbel");
newUser.setPasswordValue("mypassword");
newUser.setLoginName("ilan");
newUser.save();
Is the above correct? (I am new to Turbine so I am not sure).
Ilan
> -----Original Message-----
> From: David Demner [mailto:turbine@demner.com]
> Sent: 07 May 2004 04:53
> To: 'Turbine Users List'
> Subject: RE: using hashed passwords instead of clearext passwords
>
>
> Hi Ilan,
>
> Set services.SecurityService.secure.passwords=true in your
> TurbineResources.properties. Also you'll need to add
> commons-codec-1.1 (NOT
> the most recent version) to the classpath.
>
> Good luck,
>
> David
>
> -----Original Message-----
> From: Ilan Azbel [mailto:iazbel@mdio.net]
> Sent: Friday May 7, 2004 2:41 AM
> To: Turbine-User
> Subject: using hashed passwords instead of clearext passwords
>
>
> Hello, how does one force Turbine to store hashed passwords in
> the database
> instead of cleartext passwords?
>
> Ilan
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: turbine-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: turbine-user-help@jakarta.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: turbine-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: turbine-user-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: turbine-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: turbine-user-help@jakarta.apache.org
RE: using hashed passwords instead of clearext passwords
Posted by David Demner <tu...@demner.com>.
Hi Ilan,
Set services.SecurityService.secure.passwords=true in your
TurbineResources.properties. Also you'll need to add commons-codec-1.1 (NOT
the most recent version) to the classpath.
Good luck,
David
-----Original Message-----
From: Ilan Azbel [mailto:iazbel@mdio.net]
Sent: Friday May 7, 2004 2:41 AM
To: Turbine-User
Subject: using hashed passwords instead of clearext passwords
Hello, how does one force Turbine to store hashed passwords in the database
instead of cleartext passwords?
Ilan
---------------------------------------------------------------------
To unsubscribe, e-mail: turbine-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: turbine-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: turbine-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: turbine-user-help@jakarta.apache.org