You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-dev@portals.apache.org by "David Sean Taylor (JIRA)" <je...@portals.apache.org> on 2014/12/20 02:36:13 UTC
[jira] [Updated] (JS2-1308) Disabled Password is never checked and
user can log in
[ https://issues.apache.org/jira/browse/JS2-1308?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Sean Taylor updated JS2-1308:
-----------------------------------
Summary: Disabled Password is never checked and user can log in (was: New User Enabled is Never Checked)
> Disabled Password is never checked and user can log in
> ------------------------------------------------------
>
> Key: JS2-1308
> URL: https://issues.apache.org/jira/browse/JS2-1308
> Project: Jetspeed 2
> Issue Type: Bug
> Components: Security
> Affects Versions: 2.2.3, 2.3.0
> Reporter: David Sean Taylor
> Assignee: David Sean Taylor
> Fix For: 2.2.3, 2.3.0
>
>
> in our portal a new created user has to confirm it's password via email.
> So we set the password to NOT enabled after user creation:
> User user = userManager.getUser(userName);
> PasswordCredential pwc = userManager.getPasswordCredential(user);
> pwc.setEnabled(false);
> userManager.storePasswordCredential(pwc);
> But the user can immediately log in, although the password is disabled.
> I verified this in the database (security_credential.IS_ENABLED = 0).
> The bug seems to be in the
> UserPasswordCredentialManagerImpl.getAuthenticatedPasswordCredential
> where isEnabled() is never checked !
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org