You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jackrabbit.apache.org by "angela (JIRA)" <ji...@apache.org> on 2010/03/04 10:10:32 UTC
[jira] Updated: (JCR-2527) Fix and simplify
CryptedSimpleCredentials
[ https://issues.apache.org/jira/browse/JCR-2527?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
angela updated JCR-2527:
------------------------
Fix Version/s: (was: 2.0.1)
2.1.0
> Fix and simplify CryptedSimpleCredentials
> -----------------------------------------
>
> Key: JCR-2527
> URL: https://issues.apache.org/jira/browse/JCR-2527
> Project: Jackrabbit Content Repository
> Issue Type: Bug
> Components: jackrabbit-core
> Affects Versions: 2.0.0
> Reporter: angela
> Assignee: angela
> Fix For: 2.1.0
>
>
> the credentials retrieved from UserImpl and used to validate the simplecredentials passed to the repository login is overly complex
> and buggy as it tries to match all kind credentials variants with and without hashed password.
> in particular it contains the following problems:
> - simplecredentials containing the hashed pw are considered valid
> - passwords startign with {something} cause inconsistencies and may even prevent the user from login
> it should be improved as follows:
> - simplecredentials are always expected to contain the plain text password both for creation and
> comparison with the cryptedsimplecredentials.
> - creating cryptedsimplecredentials from uid/pw however is left unchanged: the specified pw is
> hashed with the default algorithm if it turns out not to be in the hashed format.
> - in addition the pw should also be hashed if it has the form {something}whatever but something
> is an invalid algorithm.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.