You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by Adrian Crum <ad...@sandglass-software.com> on 2012/12/10 16:45:41 UTC
Re: svn commit: r1418996 - in /ofbiz/trunk/framework: common/config/SecurityextUiLabels.xml
common/src/org/ofbiz/common/login/LoginServices.java security/config/security.properties
On 12/9/2012 2:59 PM, jleroux@apache.org wrote:
> Author: jleroux
> Date: Sun Dec 9 14:59:52 2012
> New Revision: 1418996
>
> URL: http://svn.apache.org/viewvc?rev=1418996&view=rev
> Log:
> A slightly modified patch from Sumit Pandit for "Additional Validation for Password : Make password pattern driven" https://issues.apache.org/jira/browse/OFBIZ-4958
>
> Provides an additional validation for password with following capability to the system:
>
> Admin can enable/disable pattern based password capability of system. Configuration will reside in security.property file.
> To enable : security.login.password.pattern.enable=true
> To disable: security.login.password.pattern.enable=false
>
> Admin is flexible to provide his pattern string by making pattern more/less restrictive as per system requirement. Configuration will reside in security.property file.
> Example: security.login.password.pattern=^.*(?=. {5,})(?=.[a-zA-Z])(?=.[!@#$%^&*]).*$
>
> Admin can provide custom error message string which will display to end user if wrong password is entered. Configuration will reside in security.properity file.
>
> jleroux: I quickly handled the error message localisation for the OOTB case. It's more complicated when the pattern gets complex...
>
> Modified:
> ofbiz/trunk/framework/common/config/SecurityextUiLabels.xml
> ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
> ofbiz/trunk/framework/security/config/security.properties
>
Modified:
ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java?rev=1418996&r1=1418995&r2=1418996&view=diff
==============================================================================
---
ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
(original) +++
ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
Sun Dec 9 14:59:52 2012 @@ -23,6 +23,8 @@ import java.sql.Timestamp;
import java.util.List; import java.util.Locale; import java.util.Map;
+import java.util.regex.Matcher; +import java.util.regex.Pattern; import
javax.transaction.Transaction; @@ -62,6 +64,8 @@ public class
LoginServices { public static final String module =
LoginServices.class.getName(); public static final String resource =
"SecurityextUiLabels"; + public static boolean usePasswordPattern =
"true".equals(UtilProperties.getPropertyValue("security.properties",
"security.login.password.pattern.enable")); + public static String
passwordPattern = UtilProperties.getPropertyValue("security.properties",
"security.login.password.pattern");
Please do not store property values in static class fields - that makes
it impossible to change the settings at run-time.
-Adrian
Re: svn commit: r1418996 - in /ofbiz/trunk/framework:
common/config/SecurityextUiLabels.xml
common/src/org/ofbiz/common/login/LoginServices.java
security/config/security.properties
Posted by Jacques Le Roux <ja...@les7arts.com>.
From: "Adrian Crum" <ad...@sandglass-software.com>
> On 12/11/2012 6:34 PM, Adam Heath wrote:
>> On 12/11/2012 03:46 AM, adrian.crum@sandglass-software.com wrote:
>>> Quoting Jacques Le Roux <ja...@les7arts.com>:
>>>
>>>> Adrian Crum wrote:
>>>>> On 12/9/2012 2:59 PM, jleroux@apache.org wrote:
>>>>>> Author: jleroux
>>>>>> Date: Sun Dec 9 14:59:52 2012
>>>>>> New Revision: 1418996
>>>>>>
>>>>>> URL: http://svn.apache.org/viewvc?rev=1418996&view=rev
>>>>>> Log:
>>>>>> A slightly modified patch from Sumit Pandit for "Additional
>>>>>> Validation for Password : Make password pattern driven"
>>>>>> https://issues.apache.org/jira/browse/OFBIZ-4958
>>>>>>
>>>>>> Provides an additional validation for password with following
>>>>>> capability to the system:
>>>>>>
>>>>>> Admin can enable/disable pattern based password capability of
>>>>>> system. Configuration will reside in security.property file.
>>>>>> To enable : security.login.password.pattern.enable=true
>>>>>> To disable: security.login.password.pattern.enable=false
>>>>>>
>>>>>> Admin is flexible to provide his pattern string by making pattern
>>>>>> more/less restrictive as per system requirement. Configuration
>>>>>> will reside in security.property file. Example:
>>>>>> security.login.password.pattern=^.*(?=.
>>>>>> {5,})(?=.[a-zA-Z])(?=.[!@#$%^&*]).*$
>>>>>>
>>>>>> Admin can provide custom error message string which will display
>>>>>> to end user if wrong password is entered. Configuration will
>>>>>> reside in security.properity file.
>>>>>>
>>>>>> jleroux: I quickly handled the error message localisation for the
>>>>>> OOTB case. It's more complicated when the pattern gets
>>>>>> complex...
>>>>>>
>>>>>> Modified:
>>>>>> ofbiz/trunk/framework/common/config/SecurityextUiLabels.xml
>>>>>>
>>>>>> ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
>>>>>>
>>>>>> ofbiz/trunk/framework/security/config/security.properties
>>>>>>
>>>>> Modified:
>>>>> ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
>>>>>
>>>>> URL:
>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java?rev=1418996&r1=1418995&r2=1418996&view=diff
>>>>>
>>>>> ==============================================================================
>>>>>
>>>>> ---
>>>>> ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
>>>>>
>>>>> (original) +++
>>>>> ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
>>>>>
>>>>> Sun Dec 9 14:59:52 2012 @@ -23,6 +23,8 @@ import java.sql.Timestamp;
>>>>> import java.util.List; import java.util.Locale; import java.util.Map;
>>>>> +import java.util.regex.Matcher; +import java.util.regex.Pattern;
>>>>> import
>>>>> javax.transaction.Transaction; @@ -62,6 +64,8 @@ public class
>>>>> LoginServices { public static final String module =
>>>>> LoginServices.class.getName(); public static final String resource =
>>>>> "SecurityextUiLabels"; + public static boolean usePasswordPattern =
>>>>> "true".equals(UtilProperties.getPropertyValue("security.properties",
>>>>> "security.login.password.pattern.enable")); + public static String
>>>>> passwordPattern =
>>>>> UtilProperties.getPropertyValue("security.properties",
>>>>> "security.login.password.pattern");
>>>>>
>>>>>
>>>>> Please do not store property values in static class fields - that
>>>>> makes
>>>>> it impossible to change the settings at run-time.
>>>>>
>>>>> -Adrian
>>>> Sorry it's a bit more involved than expected for this morning, could
>>>> you please adapt it to follow your need?
>>>> Just curious, are you using PropertyUtils class of Apache commons
>>>> beanutils to modify properties of Java object at runtime?
>>>>
>>>> Read more:
>>>> http://javarevisited.blogspot.com/2012/04/java-propertyutils-example-getting-and.html#ixzz2Ej9FUJIY
>>>>
>>>>
>>> No, I use a text editor to modify the properties file.
>> And then you go to /webtools/ and clear a cache item, and expect
>> anything that has previously read the .properties file to get the new
>> value.
>>
>> The way this code is written, is that the value will be read *once*
>> when the class is loaded, and then no new value will ever be read.
>>
>> (this is not directed at Adrian)
>
> Thanks Adam.
>
> -Adrian
Ha yes indeed, forgot properties are also cached in OFBiz.
OK, clearing all properties.UtilProperties*Cache is enough.
I will have a new look when I will get a chance, it needs some refactoring...
There are a handful of others but none of them seem important
Jacques
Re: svn commit: r1418996 - in /ofbiz/trunk/framework: common/config/SecurityextUiLabels.xml
common/src/org/ofbiz/common/login/LoginServices.java security/config/security.properties
Posted by Adrian Crum <ad...@sandglass-software.com>.
On 12/11/2012 6:34 PM, Adam Heath wrote:
> On 12/11/2012 03:46 AM, adrian.crum@sandglass-software.com wrote:
>> Quoting Jacques Le Roux <ja...@les7arts.com>:
>>
>>> Adrian Crum wrote:
>>>> On 12/9/2012 2:59 PM, jleroux@apache.org wrote:
>>>>> Author: jleroux
>>>>> Date: Sun Dec 9 14:59:52 2012
>>>>> New Revision: 1418996
>>>>>
>>>>> URL: http://svn.apache.org/viewvc?rev=1418996&view=rev
>>>>> Log:
>>>>> A slightly modified patch from Sumit Pandit for "Additional
>>>>> Validation for Password : Make password pattern driven"
>>>>> https://issues.apache.org/jira/browse/OFBIZ-4958
>>>>>
>>>>> Provides an additional validation for password with following
>>>>> capability to the system:
>>>>>
>>>>> Admin can enable/disable pattern based password capability of
>>>>> system. Configuration will reside in security.property file.
>>>>> To enable : security.login.password.pattern.enable=true
>>>>> To disable: security.login.password.pattern.enable=false
>>>>>
>>>>> Admin is flexible to provide his pattern string by making pattern
>>>>> more/less restrictive as per system requirement. Configuration
>>>>> will reside in security.property file. Example:
>>>>> security.login.password.pattern=^.*(?=.
>>>>> {5,})(?=.[a-zA-Z])(?=.[!@#$%^&*]).*$
>>>>>
>>>>> Admin can provide custom error message string which will display
>>>>> to end user if wrong password is entered. Configuration will
>>>>> reside in security.properity file.
>>>>>
>>>>> jleroux: I quickly handled the error message localisation for the
>>>>> OOTB case. It's more complicated when the pattern gets
>>>>> complex...
>>>>>
>>>>> Modified:
>>>>> ofbiz/trunk/framework/common/config/SecurityextUiLabels.xml
>>>>>
>>>>> ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
>>>>>
>>>>> ofbiz/trunk/framework/security/config/security.properties
>>>>>
>>>> Modified:
>>>> ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
>>>>
>>>> URL:
>>>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java?rev=1418996&r1=1418995&r2=1418996&view=diff
>>>>
>>>> ==============================================================================
>>>>
>>>> ---
>>>> ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
>>>>
>>>> (original) +++
>>>> ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
>>>>
>>>> Sun Dec 9 14:59:52 2012 @@ -23,6 +23,8 @@ import java.sql.Timestamp;
>>>> import java.util.List; import java.util.Locale; import java.util.Map;
>>>> +import java.util.regex.Matcher; +import java.util.regex.Pattern;
>>>> import
>>>> javax.transaction.Transaction; @@ -62,6 +64,8 @@ public class
>>>> LoginServices { public static final String module =
>>>> LoginServices.class.getName(); public static final String resource =
>>>> "SecurityextUiLabels"; + public static boolean usePasswordPattern =
>>>> "true".equals(UtilProperties.getPropertyValue("security.properties",
>>>> "security.login.password.pattern.enable")); + public static String
>>>> passwordPattern =
>>>> UtilProperties.getPropertyValue("security.properties",
>>>> "security.login.password.pattern");
>>>>
>>>>
>>>> Please do not store property values in static class fields - that
>>>> makes
>>>> it impossible to change the settings at run-time.
>>>>
>>>> -Adrian
>>> Sorry it's a bit more involved than expected for this morning, could
>>> you please adapt it to follow your need?
>>> Just curious, are you using PropertyUtils class of Apache commons
>>> beanutils to modify properties of Java object at runtime?
>>>
>>> Read more:
>>> http://javarevisited.blogspot.com/2012/04/java-propertyutils-example-getting-and.html#ixzz2Ej9FUJIY
>>>
>>>
>> No, I use a text editor to modify the properties file.
> And then you go to /webtools/ and clear a cache item, and expect
> anything that has previously read the .properties file to get the new
> value.
>
> The way this code is written, is that the value will be read *once*
> when the class is loaded, and then no new value will ever be read.
>
> (this is not directed at Adrian)
Thanks Adam.
-Adrian
Re: svn commit: r1418996 - in /ofbiz/trunk/framework: common/config/SecurityextUiLabels.xml
common/src/org/ofbiz/common/login/LoginServices.java security/config/security.properties
Posted by Adam Heath <do...@brainfood.com>.
On 12/11/2012 03:46 AM, adrian.crum@sandglass-software.com wrote:
> Quoting Jacques Le Roux <ja...@les7arts.com>:
>
>> Adrian Crum wrote:
>>> On 12/9/2012 2:59 PM, jleroux@apache.org wrote:
>>>> Author: jleroux
>>>> Date: Sun Dec 9 14:59:52 2012
>>>> New Revision: 1418996
>>>>
>>>> URL: http://svn.apache.org/viewvc?rev=1418996&view=rev
>>>> Log:
>>>> A slightly modified patch from Sumit Pandit for "Additional
>>>> Validation for Password : Make password pattern driven"
>>>> https://issues.apache.org/jira/browse/OFBIZ-4958
>>>>
>>>> Provides an additional validation for password with following
>>>> capability to the system:
>>>>
>>>> Admin can enable/disable pattern based password capability of
>>>> system. Configuration will reside in security.property file.
>>>> To enable : security.login.password.pattern.enable=true
>>>> To disable: security.login.password.pattern.enable=false
>>>>
>>>> Admin is flexible to provide his pattern string by making pattern
>>>> more/less restrictive as per system requirement. Configuration
>>>> will reside in security.property file. Example:
>>>> security.login.password.pattern=^.*(?=.
>>>> {5,})(?=.[a-zA-Z])(?=.[!@#$%^&*]).*$
>>>>
>>>> Admin can provide custom error message string which will display
>>>> to end user if wrong password is entered. Configuration will
>>>> reside in security.properity file.
>>>>
>>>> jleroux: I quickly handled the error message localisation for the
>>>> OOTB case. It's more complicated when the pattern gets
>>>> complex...
>>>>
>>>> Modified:
>>>> ofbiz/trunk/framework/common/config/SecurityextUiLabels.xml
>>>>
>>>> ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
>>>>
>>>> ofbiz/trunk/framework/security/config/security.properties
>>>>
>>>
>>> Modified:
>>> ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
>>>
>>> URL:
>>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java?rev=1418996&r1=1418995&r2=1418996&view=diff
>>>
>>> ==============================================================================
>>>
>>> ---
>>> ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
>>>
>>> (original) +++
>>> ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
>>>
>>> Sun Dec 9 14:59:52 2012 @@ -23,6 +23,8 @@ import java.sql.Timestamp;
>>> import java.util.List; import java.util.Locale; import java.util.Map;
>>> +import java.util.regex.Matcher; +import java.util.regex.Pattern;
>>> import
>>> javax.transaction.Transaction; @@ -62,6 +64,8 @@ public class
>>> LoginServices { public static final String module =
>>> LoginServices.class.getName(); public static final String resource =
>>> "SecurityextUiLabels"; + public static boolean usePasswordPattern =
>>> "true".equals(UtilProperties.getPropertyValue("security.properties",
>>> "security.login.password.pattern.enable")); + public static String
>>> passwordPattern =
>>> UtilProperties.getPropertyValue("security.properties",
>>> "security.login.password.pattern");
>>>
>>>
>>> Please do not store property values in static class fields - that
>>> makes
>>> it impossible to change the settings at run-time.
>>>
>>> -Adrian
>>
>> Sorry it's a bit more involved than expected for this morning, could
>> you please adapt it to follow your need?
>> Just curious, are you using PropertyUtils class of Apache commons
>> beanutils to modify properties of Java object at runtime?
>>
>> Read more:
>> http://javarevisited.blogspot.com/2012/04/java-propertyutils-example-getting-and.html#ixzz2Ej9FUJIY
>>
>>
>
> No, I use a text editor to modify the properties file.
And then you go to /webtools/ and clear a cache item, and expect
anything that has previously read the .properties file to get the new
value.
The way this code is written, is that the value will be read *once*
when the class is loaded, and then no new value will ever be read.
(this is not directed at Adrian)
Re: svn commit: r1418996 - in /ofbiz/trunk/framework:
common/config/SecurityextUiLabels.xml
common/src/org/ofbiz/common/login/LoginServices.java
security/config/security.properties
Posted by ad...@sandglass-software.com.
Quoting Jacques Le Roux <ja...@les7arts.com>:
> Adrian Crum wrote:
>> On 12/9/2012 2:59 PM, jleroux@apache.org wrote:
>>> Author: jleroux
>>> Date: Sun Dec 9 14:59:52 2012
>>> New Revision: 1418996
>>>
>>> URL: http://svn.apache.org/viewvc?rev=1418996&view=rev
>>> Log:
>>> A slightly modified patch from Sumit Pandit for "Additional
>>> Validation for Password : Make password pattern driven"
>>> https://issues.apache.org/jira/browse/OFBIZ-4958
>>>
>>> Provides an additional validation for password with following
>>> capability to the system:
>>>
>>> Admin can enable/disable pattern based password capability of
>>> system. Configuration will reside in security.property file.
>>> To enable : security.login.password.pattern.enable=true
>>> To disable: security.login.password.pattern.enable=false
>>>
>>> Admin is flexible to provide his pattern string by making pattern
>>> more/less restrictive as per system requirement. Configuration
>>> will reside in security.property file. Example:
>>> security.login.password.pattern=^.*(?=.
>>> {5,})(?=.[a-zA-Z])(?=.[!@#$%^&*]).*$
>>>
>>> Admin can provide custom error message string which will display
>>> to end user if wrong password is entered. Configuration will
>>> reside in security.properity file.
>>>
>>> jleroux: I quickly handled the error message localisation for the
>>> OOTB case. It's more complicated when the pattern gets
>>> complex...
>>>
>>> Modified:
>>> ofbiz/trunk/framework/common/config/SecurityextUiLabels.xml
>>>
>>> ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
>>> ofbiz/trunk/framework/security/config/security.properties
>>>
>>
>> Modified:
>> ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
>> URL:
>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java?rev=1418996&r1=1418995&r2=1418996&view=diff
>> ==============================================================================
>> ---
>> ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
>> (original) +++
>> ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
>> Sun Dec 9 14:59:52 2012 @@ -23,6 +23,8 @@ import java.sql.Timestamp;
>> import java.util.List; import java.util.Locale; import java.util.Map;
>> +import java.util.regex.Matcher; +import java.util.regex.Pattern; import
>> javax.transaction.Transaction; @@ -62,6 +64,8 @@ public class
>> LoginServices { public static final String module =
>> LoginServices.class.getName(); public static final String resource =
>> "SecurityextUiLabels"; + public static boolean usePasswordPattern =
>> "true".equals(UtilProperties.getPropertyValue("security.properties",
>> "security.login.password.pattern.enable")); + public static String
>> passwordPattern = UtilProperties.getPropertyValue("security.properties",
>> "security.login.password.pattern");
>>
>>
>> Please do not store property values in static class fields - that makes
>> it impossible to change the settings at run-time.
>>
>> -Adrian
>
> Sorry it's a bit more involved than expected for this morning, could
> you please adapt it to follow your need?
> Just curious, are you using PropertyUtils class of Apache commons
> beanutils to modify properties of Java object at runtime?
>
> Read more:
> http://javarevisited.blogspot.com/2012/04/java-propertyutils-example-getting-and.html#ixzz2Ej9FUJIY
>
No, I use a text editor to modify the properties file.
-Adrian
Re: svn commit: r1418996 - in /ofbiz/trunk/framework:
common/config/SecurityextUiLabels.xml
common/src/org/ofbiz/common/login/LoginServices.java
security/config/security.properties
Posted by Jacques Le Roux <ja...@les7arts.com>.
Adrian Crum wrote:
> On 12/9/2012 2:59 PM, jleroux@apache.org wrote:
>> Author: jleroux
>> Date: Sun Dec 9 14:59:52 2012
>> New Revision: 1418996
>>
>> URL: http://svn.apache.org/viewvc?rev=1418996&view=rev
>> Log:
>> A slightly modified patch from Sumit Pandit for "Additional Validation for Password : Make password pattern driven"
>> https://issues.apache.org/jira/browse/OFBIZ-4958
>>
>> Provides an additional validation for password with following capability to the system:
>>
>> Admin can enable/disable pattern based password capability of system. Configuration will reside in security.property file.
>> To enable : security.login.password.pattern.enable=true
>> To disable: security.login.password.pattern.enable=false
>>
>> Admin is flexible to provide his pattern string by making pattern more/less restrictive as per system requirement. Configuration
>> will reside in security.property file. Example: security.login.password.pattern=^.*(?=. {5,})(?=.[a-zA-Z])(?=.[!@#$%^&*]).*$
>>
>> Admin can provide custom error message string which will display to end user if wrong password is entered. Configuration will
>> reside in security.properity file.
>>
>> jleroux: I quickly handled the error message localisation for the OOTB case. It's more complicated when the pattern gets
>> complex...
>>
>> Modified:
>> ofbiz/trunk/framework/common/config/SecurityextUiLabels.xml
>> ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
>> ofbiz/trunk/framework/security/config/security.properties
>>
>
> Modified:
> ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
> URL:
> http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java?rev=1418996&r1=1418995&r2=1418996&view=diff
> ==============================================================================
> ---
> ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
> (original) +++
> ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
> Sun Dec 9 14:59:52 2012 @@ -23,6 +23,8 @@ import java.sql.Timestamp;
> import java.util.List; import java.util.Locale; import java.util.Map;
> +import java.util.regex.Matcher; +import java.util.regex.Pattern; import
> javax.transaction.Transaction; @@ -62,6 +64,8 @@ public class
> LoginServices { public static final String module =
> LoginServices.class.getName(); public static final String resource =
> "SecurityextUiLabels"; + public static boolean usePasswordPattern =
> "true".equals(UtilProperties.getPropertyValue("security.properties",
> "security.login.password.pattern.enable")); + public static String
> passwordPattern = UtilProperties.getPropertyValue("security.properties",
> "security.login.password.pattern");
>
>
> Please do not store property values in static class fields - that makes
> it impossible to change the settings at run-time.
>
> -Adrian
Sorry it's a bit more involved than expected for this morning, could you please adapt it to follow your need?
Just curious, are you using PropertyUtils class of Apache commons beanutils to modify properties of Java object at runtime?
Read more: http://javarevisited.blogspot.com/2012/04/java-propertyutils-example-getting-and.html#ixzz2Ej9FUJIY
Jacques