Re: [Acegisecurity-developer] JdbcDaoImpl + Md5PasswordEncoder + DaoAuthentication

Sat, 26 Jun 2004 19:11:17 -0700 

Mark,

You need to be running a CVS version post the last 0.51 official release. This is a bug that was introduced around the 28th or 29th of May if I remember, and fixed about the 6th or so of June...

Colin


Mark St Godard wrote:



Hi Ben, Colin et al

Configuring the JdbcDaoImpl and am having problems with the 2nd
authentication attempt:


Config snippet:

     <bean id="daoAuthenticationProvider" class=
"net.sf.acegisecurity.providers.dao.DaoAuthenticationProvider">
     <property name="authenticationDao"><ref bean="authenticationDao"/></
property>
     <property name="userCache"><ref bean="userCache"/></property>
           <property name="saltSource"><ref bean="saltSource"/></property>
           <property name="passwordEncoder"><ref bean="passwordEncoder"
/></property>
     </bean>

     <bean id="passwordEncoder" class=
"net.sf.acegisecurity.providers.encoding.Md5PasswordEncoder">
     </bean>


Problem that occurs is that the first authentication attempt is successful
(passwords equal when debugging in Md5PasswordEncoder)

then I notice in the DaoAuthenticationManager the Authentication Token is
created.... like

  return new UsernamePasswordAuthenticationToken(user.getUsername(),
       user.getPassword(), user.getAuthorities());

At this point the  user.getPassword() ... is the MD5-encoded password...

then all further attempts to authenticate... try to encode the already
encoded password   (since Authentication token is cached)


My 2 questions are:

First, am I missing something? Like a configuration setting or otherwise?

Secondly, does the Authentication Token require to store the credentials
from the database or the credentials from the original request?
i.e.  clear text vs. md5 encoded


To get around this and to get it working, I did something like this in line
197

net.sf.acegisecurity.providers.dao.DaoAuthenticationProvider

method -->  public Authentication authenticate(Authentication
authentication)

// Mark St.Godard - should the encoded or clear text password be placed in
the token?
//  return new UsernamePasswordAuthenticationToken(user.getUsername(),
//  user.getPassword(), user.getAuthorities());
   return new UsernamePasswordAuthenticationToken(user.getUsername(),
         authentication.getCredentials(), user.getAuthorities());


I am sure I am missing something.

Any advise is appreciated.

And yes Ben, I am running on Websphere 5.1  (but that shouldnt matter ....
this is standard Java stuff :)

Thanks in advance,

Mark



-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Acegisecurity-developer mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer






-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Acegisecurity-developer mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Reply via email to