You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ofbiz.apache.org by Arnd Scharpegge <ar...@lynx.de> on 2008/05/26 18:23:47 UTC

Problems logging in / Error in LoginServices.java?

In the latest version of OFBiz, creating a UserLogin results in a 
currentPassword like this: "{SHA}607a966f5353c393...".

But checking this password in the LoginServices.java runs:

                        if ((userLogin.get("currentPassword") != null &&
                            (HashCrypt.removeHashTypePrefix
(encodedPassword).equals(userLogin.getString("currentPassword")) ||
                                    HashCrypt.removeHashTypePrefix
(encodedPasswordOldFunnyHexEncode).equals(userLogin.getString(
"currentPassword")) ||
                                    HashCrypt.removeHashTypePrefix
(encodedPasswordUsingDbHashType).equals(userLogin.getString(
"currentPassword")) ||
                                ("true".equals(UtilProperties.
getPropertyValue("security.properties", 
"password.accept.encrypted.and.plain")) && 
password.equals(userLogin.getString("currentPassword")))))) {
                            Debug.logVerbose("[LoginServices.userLogin] : 
Password Matched", module);

By this, with "HashCrypt.removeHashTypePrefix(encodedPassword)" you drop 
"{SHA} from the encodedPassword, whereas the stored password in "
userLogin.getString("currentPassword")" always shows this sequence.

Should this condition therefore be extended by 
"encodedPassword.equals(userLogin.getString("currentPassword")) ||"? 
Resulting in:

                        if ((userLogin.get("currentPassword") != null &&
                            (encodedPassword.equals(userLogin.getString(
"currentPassword")) ||
                                    HashCrypt.removeHashTypePrefix
(encodedPassword).equals(userLogin.getString("currentPassword")) ||
                                    HashCrypt.removeHashTypePrefix
(encodedPasswordOldFunnyHexEncode).equals(userLogin.getString(
"currentPassword")) ||
                                    HashCrypt.removeHashTypePrefix
(encodedPasswordUsingDbHashType).equals(userLogin.getString(
"currentPassword")) ||
                                ("true".equals(UtilProperties.
getPropertyValue("security.properties", 
"password.accept.encrypted.and.plain")) && 
password.equals(userLogin.getString("currentPassword")))))) {
                            Debug.logVerbose("[LoginServices.userLogin] : 
Password Matched", module);

A quick answer would be great.


Greetings

Arnd



Arnd Scharpegge
Diplom-Informatiker / M.A.
Consultant AEW
Agrenon GmbH
Johanniskirchplatz 6
33615 Bielefeld
Deutschland
Fon: +49 521 5247-0
Fax: +49 521 5247-250
Mobil: +49 170 91 93 216


Company and Management Headquarters:
Agrenon GmbH, Johanniskirchplatz 6, 33615 Bielefeld, Deutschland, Fon: +49 521 5247-0, Fax: +49 521 5247-250, www.agrenon.com

Court Registration: Amtsgericht Bielefeld HRB 36795
Chief Executive Officer: Dirk Osterkamp

----------------------------------------------------------------------------------------------------
This e-mail may contain trade secrets or privileged, undisclosed, or otherwise confidential information. If you have received this e-mail in error, you are hereby notified that any review, copying, or distribution of it is strictly prohibited. Please inform us immediately and destroy the original transmittal. Thank you for your cooperation. 
----------------------------------------------------------------------------------------------------


Besuchen Sie uns!

talk@lynx: 
ATLAS-Ausfuhr im SAP
für Ihren Sprung ins 
elektronische Zollzeitalter!

27. Mai 2008
Beginn: 15.00 Uhr
Geschäftsstelle Bielefeld

Re: Problems logging in / Error in LoginServices.java?

Posted by David E Jones <jo...@hotwaxmedia.com>.

Which revision are you using? I this is what it looks like, it has  
already been fixed.

-David


On May 26, 2008, at 10:23 AM, Arnd Scharpegge wrote:

> In the latest version of OFBiz, creating a UserLogin results in a
> currentPassword like this: "{SHA}607a966f5353c393...".
>
> But checking this password in the LoginServices.java runs:
>
>                        if ((userLogin.get("currentPassword") != null  
> &&
>                            (HashCrypt.removeHashTypePrefix
> (encodedPassword).equals(userLogin.getString("currentPassword")) ||
>                                    HashCrypt.removeHashTypePrefix
> (encodedPasswordOldFunnyHexEncode).equals(userLogin.getString(
> "currentPassword")) ||
>                                    HashCrypt.removeHashTypePrefix
> (encodedPasswordUsingDbHashType).equals(userLogin.getString(
> "currentPassword")) ||
>                                ("true".equals(UtilProperties.
> getPropertyValue("security.properties",
> "password.accept.encrypted.and.plain")) &&
> password.equals(userLogin.getString("currentPassword")))))) {
>                             
> Debug.logVerbose("[LoginServices.userLogin] :
> Password Matched", module);
>
> By this, with "HashCrypt.removeHashTypePrefix(encodedPassword)" you  
> drop
> "{SHA} from the encodedPassword, whereas the stored password in "
> userLogin.getString("currentPassword")" always shows this sequence.
>
> Should this condition therefore be extended by
> "encodedPassword.equals(userLogin.getString("currentPassword")) ||"?
> Resulting in:
>
>                        if ((userLogin.get("currentPassword") != null  
> &&
>                             
> (encodedPassword.equals(userLogin.getString(
> "currentPassword")) ||
>                                    HashCrypt.removeHashTypePrefix
> (encodedPassword).equals(userLogin.getString("currentPassword")) ||
>                                    HashCrypt.removeHashTypePrefix
> (encodedPasswordOldFunnyHexEncode).equals(userLogin.getString(
> "currentPassword")) ||
>                                    HashCrypt.removeHashTypePrefix
> (encodedPasswordUsingDbHashType).equals(userLogin.getString(
> "currentPassword")) ||
>                                ("true".equals(UtilProperties.
> getPropertyValue("security.properties",
> "password.accept.encrypted.and.plain")) &&
> password.equals(userLogin.getString("currentPassword")))))) {
>                             
> Debug.logVerbose("[LoginServices.userLogin] :
> Password Matched", module);
>
> A quick answer would be great.
>
>
> Greetings
>
> Arnd
>
>
>
> Arnd Scharpegge
> Diplom-Informatiker / M.A.
> Consultant AEW
> Agrenon GmbH
> Johanniskirchplatz 6
> 33615 Bielefeld
> Deutschland
> Fon: +49 521 5247-0
> Fax: +49 521 5247-250
> Mobil: +49 170 91 93 216
>
>
> Company and Management Headquarters:
> Agrenon GmbH, Johanniskirchplatz 6, 33615 Bielefeld, Deutschland,  
> Fon: +49 521 5247-0, Fax: +49 521 5247-250, www.agrenon.com
>
> Court Registration: Amtsgericht Bielefeld HRB 36795
> Chief Executive Officer: Dirk Osterkamp
>
> ----------------------------------------------------------------------------------------------------
> This e-mail may contain trade secrets or privileged, undisclosed, or  
> otherwise confidential information. If you have received this e-mail  
> in error, you are hereby notified that any review, copying, or  
> distribution of it is strictly prohibited. Please inform us  
> immediately and destroy the original transmittal. Thank you for your  
> cooperation.
> ----------------------------------------------------------------------------------------------------
>
>
> Besuchen Sie uns!
>
> talk@lynx:
> ATLAS-Ausfuhr im SAP
> für Ihren Sprung ins
> elektronische Zollzeitalter!
>
> 27. Mai 2008
> Beginn: 15.00 Uhr
> Geschäftsstelle Bielefeld