You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2016/05/09 19:04:34 UTC

svn commit: r1743028 - in /ofbiz/branches/release15.12: ./ applications/securityext/src/org/ofbiz/securityext/login/LoginEvents.java

Author: jleroux
Date: Mon May  9 19:04:33 2016
New Revision: 1743028

URL: http://svn.apache.org/viewvc?rev=1743028&view=rev
Log:
"Applied fix from trunk for revision: 1743025  " 
------------------------------------------------------------------------
r1743025 | jleroux | 2016-05-09 20:53:40 +0200 (lun. 09 mai 2016) | 22 lignes

A patch from Amardeep Singh Jhajj for "New password set in forgot password workflow not works sometimes and gives error" https://issues.apache.org/jira/browse/OFBIZ-7058

Sometimes, on clicking the reset password link from "New password sent" email we get a reset password page and on saving the new password we get following error. 
[java] org.apache.shiro.crypto.CryptoException: Unable to execute 'doFinal' with cipher instance [javax.crypto.Cipher@3ea85a47].
     [java] 	at org.apache.shiro.crypto.JcaCipherService.crypt(JcaCipherService.java:462) ~[shiro-core-1.2.3.jar:1.2.3]
     [java] 	at org.apache.shiro.crypto.JcaCipherService.crypt(JcaCipherService.java:445) ~[shiro-core-1.2.3.jar:1.2.3]
     [java] 	at org.apache.shiro.crypto.JcaCipherService.decrypt(JcaCipherService.java:390) ~[shiro-core-1.2.3.jar:1.2.3]
     [java] 	at org.apache.shiro.crypto.JcaCipherService.decrypt(JcaCipherService.java:382) ~[shiro-core-1.2.3.jar:1.2.3]
     [java] 	at org.ofbiz.entity.util.EntityCrypto$ShiroStorageHandler.decryptValue(EntityCrypto.java:282) ~[ofbiz-entity.jar:?]
     [java] 	at org.ofbiz.entity.util.EntityCrypto.doDecrypt(EntityCrypto.java:147) ~[ofbiz-entity.jar:?]
     [java] 	at org.ofbiz.entity.util.EntityCrypto.decrypt(EntityCrypto.java:126) ~[ofbiz-entity.jar:?]
     [java] 	at org.ofbiz.webapp.control.LoginWorker.login(LoginWorker.java:389) ~[ofbiz-webapp.jar:?]



I found that sometimes encrypted password string (Base64 String created from EntityCrypto's encrypt method) contain "+".
So on clicking the reset password link from email we get a reset password page and on saving the new password we get this error. The reason is "+" is converted to " " 
after url decoding. For example: Below URL having encrypted token with "+"

https://localhost:8443/partymgr/control/passwordChange?USERNAME=DemoUser&password=CcXuJ3vDfba0J7A8xO+X5A==&forgotPwdFlag=true&tenantId=

We can encrypt the token using URL encoder so that it is taken as it is in URL decoding.
------------------------------------------------------------------------


Modified:
    ofbiz/branches/release15.12/   (props changed)
    ofbiz/branches/release15.12/applications/securityext/src/org/ofbiz/securityext/login/LoginEvents.java

Propchange: ofbiz/branches/release15.12/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Mon May  9 19:04:33 2016
@@ -9,4 +9,4 @@
 /ofbiz/branches/json-integration-refactoring:1634077-1635900
 /ofbiz/branches/multitenant20100310:921280-927264
 /ofbiz/branches/release13.07:1547657
-/ofbiz/trunk:1722712,1723007,1723248,1724402,1724411,1724566,1724689,1724763,1724916,1724918,1724925,1724930,1724940,1724943,1724946,1724951,1724957,1724975,1724978,1725006,1725217,1725257,1725561,1725574,1726388,1726486,1726493,1726828,1727894,1728398,1728411,1729005,1729078,1729609,1729809,1730035,1730456,1730735-1730736,1730747,1730758,1730882,1730889,1731382,1731396,1732454,1732570,1732721,1733951,1733956,1734246,1734269,1734276,1734912,1734918,1735021,1735244,1735385,1735398,1735569,1735731,1735734,1735750,1735753,1735756,1735759,1735773,1736083,1736087,1736272,1736434,1736628,1736851,1736854,1736890,1737156,1737440,1738235,1738303,1738407,1738902,1739438,1739448,1739571,1740008,1740442,1740629,1741146,1741563,1741684,1741925,1741930,1741960,1742018,1742097,1742103,1742712,1742737,1742741
+/ofbiz/trunk:1722712,1723007,1723248,1724402,1724411,1724566,1724689,1724763,1724916,1724918,1724925,1724930,1724940,1724943,1724946,1724951,1724957,1724975,1724978,1725006,1725217,1725257,1725561,1725574,1726388,1726486,1726493,1726828,1727894,1728398,1728411,1729005,1729078,1729609,1729809,1730035,1730456,1730735-1730736,1730747,1730758,1730882,1730889,1731382,1731396,1732454,1732570,1732721,1733951,1733956,1734246,1734269,1734276,1734912,1734918,1735021,1735244,1735385,1735398,1735569,1735731,1735734,1735750,1735753,1735756,1735759,1735773,1736083,1736087,1736272,1736434,1736628,1736851,1736854,1736890,1737156,1737440,1738235,1738303,1738407,1738902,1739438,1739448,1739571,1740008,1740442,1740629,1741146,1741563,1741684,1741925,1741930,1741960,1742018,1742097,1742103,1742712,1742737,1742741,1743025

Modified: ofbiz/branches/release15.12/applications/securityext/src/org/ofbiz/securityext/login/LoginEvents.java
URL: http://svn.apache.org/viewvc/ofbiz/branches/release15.12/applications/securityext/src/org/ofbiz/securityext/login/LoginEvents.java?rev=1743028&r1=1743027&r2=1743028&view=diff
==============================================================================
--- ofbiz/branches/release15.12/applications/securityext/src/org/ofbiz/securityext/login/LoginEvents.java (original)
+++ ofbiz/branches/release15.12/applications/securityext/src/org/ofbiz/securityext/login/LoginEvents.java Mon May  9 19:04:33 2016
@@ -19,6 +19,8 @@
 
 package org.ofbiz.securityext.login;
 
+import java.io.UnsupportedEncodingException;
+import java.net.URLEncoder;
 import java.util.HashMap;
 import java.util.Iterator;
 import java.util.Map;
@@ -258,12 +260,19 @@ public class LoginEvents {
             } else {
                 passwordToSend = supposedUserLogin.getString("currentPassword");
             }
+            /* Its a Base64 string, it can contain + and this + will be converted to space after decoding the url.
+               For example: passwordToSend "DGb1s2wgUQmwOBK9FK+fvQ==" will be converted to "DGb1s2wgUQmwOBK9FK fvQ=="
+               So to fix it, done Url encoding of passwordToSend.
+            */
+            passwordToSend = URLEncoder.encode(passwordToSend, "UTF-8");
         } catch (GenericEntityException e) {
             Debug.logWarning(e, "", module);
             Map<String, String> messageMap = UtilMisc.toMap("errorMessage", e.toString());
             errMsg = UtilProperties.getMessage(resource, "loginevents.error_accessing_password", messageMap, UtilHttp.getLocale(request));
             request.setAttribute("_ERROR_MESSAGE_", errMsg);
             return "error";
+        } catch (UnsupportedEncodingException e) {
+            e.printStackTrace();
         }
 
         StringBuilder emails = new StringBuilder();