You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-dev@portals.apache.org by "Jaq Marit (JIRA)" <je...@portals.apache.org> on 2005/04/29 09:22:14 UTC
[jira] Commented: (JS1-516) UserUpdateAction re-encrypts encrypted password when secure.passwords=true
[ http://issues.apache.org/jira/browse/JS1-516?page=comments#action_64039 ]
Jaq Marit commented on JS1-516:
-------------------------------
This has been a bug since 1.5. I believe this is critical as many jetspeed users out there want to encrypt their user's passwords. I hope this will make it into JS1.6 release.
I have applied Arthur's patch, with minor fixes (UserUpdateAction.java). The only thing i find unusual in the patch is the use of the field strOriginalPassword. I wonder if there's a better way to handle this. However it works for me.
The patch has been tested with the latest JS1.6-dev from CVS HEAD as of 29 April 2005, with JDK1.4.2 and 1.5, Tomcat 5.0.28 and 5.5. I've tested the functionality with services.JetspeedSecurity.secure.passwords=true, and also was set back to false, and did not break current functionality. Below is the patch I applied.
UserUpdateAction.java
=====================
394a395
> String strOriginalPassword="";
402a404
> strOriginalPassword = user.getPassword();
424a427
> user.setPassword(strOriginalPassword);
426a430,431
> logger.debug("User password now set to " + user.getPassword());
>
TurbineUserManagement.java
==========================
454a455,462
>
> // Compare the old and new, if they are equal, store as is,
> // otherwise go through encryptPassword
> if(user.getPassword().equalsIgnoreCase(password)) {
> logger.debug("Same, setting new password to: " + password);
> user.setPassword(password);
> } else {
> logger.debug("Change password, setting new password to: " + password);
455a464
> }
> UserUpdateAction re-encrypts encrypted password when secure.passwords=true
> --------------------------------------------------------------------------
>
> Key: JS1-516
> URL: http://issues.apache.org/jira/browse/JS1-516
> Project: Jetspeed
> Type: Bug
> Components: Security
> Versions: 1.5
> Environment: Database: Postgres
> JVM: J2DSK 1.4.02_04
> OS: Redhat 9.x/Windows XPSP2
> Reporter: Arthur D'Alessandro
>
> UserUpdateAction re-encrypts encrypted password when secure.passwords=true
> Thus making the edit user capability unusable unless the purpose was to also reset the password.
> I've been throwing around something simple, such as:
> services.JetspeedSecurity.secure.passwords.allowblank=true|false
> UserUpdateAction.doUpdate: Null password is ok, depending on
> if secure.passwords=true {
> if (password != null) {
> forcePassword(user,password)
> } else {
> if secure.passwords.allowblank {
> if (unsetpassword) {
> forcePassword(user,"")
> }
> } else {
> // Skip, no changes
> }
> }
> }
> Modify user-form.vm, add a checkbox next to password (if secure.passwords.allowblank=true) eg, Unset Password
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org