Ben, Thanks for the fast fix! Hmmm, I'm a bit disappointed, because I wanted to propose you the same fix. I have made it, rebuilded my acegi-security.jar, placed it into container, tried to run it and it doesn't help :(( I'm still a Java rookie. :-/
(just a note to our GUI thread: my GUI is Tapestry, so I cannot use JGoodies at the moment.) Best regards, Karel ----- Original Message ----- From: "Ben Alex" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, June 08, 2004 2:58 PM Subject: RE: [Acegisecurity-developer] DaoAuthenticationProvider doesn't work with passwordEncoder in 0.51 > > > try this: In your Contacts example application I have done > > those changes in > > applicationContext.xml: > > > > 1) changed the password of marrisa to be MD5 encrypted > > 2) added passwordEncoder bean > > 3) used this passwordEncoder in daoAuthenticationProvider > > Hi Karel > > Yes, indeed it is a bug in 0.51. > > I have committed the required fix to CVS. It is not a security risk, but it > does mean people using encoded passwords will need to upgrade. The change is > very simple for those wanting to avoid doing a full CVS checkout: > > *** DaoAuthenticationProvider.java 31 May 2004 04:39:00 -0000 1.11 > --- DaoAuthenticationProvider.java 8 Jun 2004 12:54:41 -0000 1.12 > *************** > *** 195,200 **** > } > > return new UsernamePasswordAuthenticationToken(user.getUsername(), > ! user.getPassword(), user.getAuthorities()); > } > > --- 195,202 ---- > } > > + // Ensure we return the original credentials the user supplied, > + // so subsequent attempts are successful even with encoded > + passwords > return new UsernamePasswordAuthenticationToken(user.getUsername(), > ! authentication.getCredentials(), user.getAuthorities()); > } > > > To ensure this bug doesn't resurface in the future, I've modified the > relevant test and also changed the main Contacts sample WAR to use MD5 > encoded passwords. Thus both the normal unit tests along with the > integration tests (which I run prior to an official release) will ensure > encoded passwords operate correctly. > > Thanks for reporting the issue. > > Ben > > > > ------------------------------------------------------- > This SF.Net email is sponsored by: GNOME Foundation > Hackers Unite! GUADEC: The world's #1 Open Source Desktop Event. > GNOME Users and Developers European Conference, 28-30th June in Norway > http://2004/guadec.org > _______________________________________________ > Acegisecurity-developer mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer > > ------------------------------------------------------- This SF.Net email is sponsored by: GNOME Foundation Hackers Unite! GUADEC: The world's #1 Open Source Desktop Event. GNOME Users and Developers European Conference, 28-30th June in Norway http://2004/guadec.org _______________________________________________ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
