OK, I did some searching around (gmane, cvs) and discovered that this bug had
been discovered and fixed after 0.51 (the release I'm using). Sorry for all
the noise. :-)
- Andy
On Thursday 08 July 2004 02:36 pm, Andy Depue wrote:
> It appears that when DaoAuthenticationProvider creates a
> UsernamePasswordAuthenticationToken, it passes in the password from the
> User object returned from the DAO. This password is coming straight from
> the DB in my case, and is already SHA encoded. So, we now have a
> authentication token that contains an encoded password. The first time the
> user is authenticated, things seem to work (since the Authentication object
> passed into DaoAuthenticationProvider contains the raw password). However,
> DaoAuthenticationProvider then returns a new Authentication object that
> contains the encoded password (if you are using encoding, of course). This
> new object gets tucked away into the context. Upon later accesses, this
> new object is pulled out and again passed to DaoAuthenticationProvider.
> Now when DaoAuthenticationProvider checks the password, it ends up calling
> "isPasswordValid" passing in the encoded password for the rawPass
> parameter. The Sha encoder dutifully re-encodes this already encoded
> password, and things break. Is this a bug, or am I missing something?
> This could possibly have something to do with the fact that for some
> reason, in my setup anyway, after the user is authenticated, the
> isAuthenticated flag of the
> Authentication token is never set to true, thus forcing Acegi to
> reauthenticate the user with the authentication token that is stored in the
> context, which contains the already encoded password.
>
> Thanks,
> Andy
>
>
> -------------------------------------------------------
> This SF.Net email sponsored by Black Hat Briefings & Training.
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
> digital self defense, top technical experts, no vendor pitches,
> unmatched networking opportunities. Visit www.blackhat.com
> _______________________________________________
> Acegisecurity-developer mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
digital self defense, top technical experts, no vendor pitches,
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Acegisecurity-developer mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
