> try this: In your Contacts example application I have done
> those changes in
> applicationContext.xml:
>
> 1) changed the password of marrisa to be MD5 encrypted
> 2) added passwordEncoder bean
> 3) used this passwordEncoder in daoAuthenticationProvider
Hi Karel
Yes, indeed it is a bug in 0.51.
I have committed the required fix to CVS. It is not a security risk, but it
does mean people using encoded passwords will need to upgrade. The change is
very simple for those wanting to avoid doing a full CVS checkout:
*** DaoAuthenticationProvider.java 31 May 2004 04:39:00 -0000 1.11
--- DaoAuthenticationProvider.java 8 Jun 2004 12:54:41 -0000 1.12
***************
*** 195,200 ****
}
return new UsernamePasswordAuthenticationToken(user.getUsername(),
! user.getPassword(), user.getAuthorities());
}
--- 195,202 ----
}
+ // Ensure we return the original credentials the user supplied,
+ // so subsequent attempts are successful even with encoded
+ passwords
return new UsernamePasswordAuthenticationToken(user.getUsername(),
! authentication.getCredentials(), user.getAuthorities());
}
To ensure this bug doesn't resurface in the future, I've modified the
relevant test and also changed the main Contacts sample WAR to use MD5
encoded passwords. Thus both the normal unit tests along with the
integration tests (which I run prior to an official release) will ensure
encoded passwords operate correctly.
Thanks for reporting the issue.
Ben
-------------------------------------------------------
This SF.Net email is sponsored by: GNOME Foundation
Hackers Unite! GUADEC: The world's #1 Open Source Desktop Event.
GNOME Users and Developers European Conference, 28-30th June in Norway
http://2004/guadec.org
_______________________________________________
Acegisecurity-developer mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
