Author: jleroux
Date: Mon May 9 18:53:40 2016
New Revision: 1743025
URL: http://svn.apache.org/viewvc?rev=1743025&view=rev
Log:
A patch from Amardeep Singh Jhajj for "New password set in forgot password
workflow not works sometimes and gives error"
https://issues.apache.org/jira/browse/OFBIZ-7058
Sometimes, on clicking the reset password link from "New password sent" email
we get a reset password page and on saving the new password we get following
error.
[java] org.apache.shiro.crypto.CryptoException: Unable to execute 'doFinal'
with cipher instance [javax.crypto.Cipher@3ea85a47].
[java] at
org.apache.shiro.crypto.JcaCipherService.crypt(JcaCipherService.java:462)
~[shiro-core-1.2.3.jar:1.2.3]
[java] at
org.apache.shiro.crypto.JcaCipherService.crypt(JcaCipherService.java:445)
~[shiro-core-1.2.3.jar:1.2.3]
[java] at
org.apache.shiro.crypto.JcaCipherService.decrypt(JcaCipherService.java:390)
~[shiro-core-1.2.3.jar:1.2.3]
[java] at
org.apache.shiro.crypto.JcaCipherService.decrypt(JcaCipherService.java:382)
~[shiro-core-1.2.3.jar:1.2.3]
[java] at
org.ofbiz.entity.util.EntityCrypto$ShiroStorageHandler.decryptValue(EntityCrypto.java:282)
~[ofbiz-entity.jar:?]
[java] at
org.ofbiz.entity.util.EntityCrypto.doDecrypt(EntityCrypto.java:147)
~[ofbiz-entity.jar:?]
[java] at
org.ofbiz.entity.util.EntityCrypto.decrypt(EntityCrypto.java:126)
~[ofbiz-entity.jar:?]
[java] at
org.ofbiz.webapp.control.LoginWorker.login(LoginWorker.java:389)
~[ofbiz-webapp.jar:?]
I found that sometimes encrypted password string (Base64 String created from
EntityCrypto's encrypt method) contain "+".
So on clicking the reset password link from email we get a reset password page
and on saving the new password we get this error. The reason is "+" is
converted to " "
after url decoding. For example: Below URL having encrypted token with "+"
https://localhost:8443/partymgr/control/passwordChange?USERNAME=DemoUser&password=CcXuJ3vDfba0J7A8xO+X5A==&forgotPwdFlag=true&tenantId=
We can encrypt the token using URL encoder so that it is taken as it is in URL
decoding.
Modified:
ofbiz/trunk/applications/securityext/src/org/ofbiz/securityext/login/LoginEvents.java
Modified:
ofbiz/trunk/applications/securityext/src/org/ofbiz/securityext/login/LoginEvents.java
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/applications/securityext/src/org/ofbiz/securityext/login/LoginEvents.java?rev=1743025&r1=1743024&r2=1743025&view=diff
==============================================================================
---
ofbiz/trunk/applications/securityext/src/org/ofbiz/securityext/login/LoginEvents.java
(original)
+++
ofbiz/trunk/applications/securityext/src/org/ofbiz/securityext/login/LoginEvents.java
Mon May 9 18:53:40 2016
@@ -19,6 +19,8 @@
package org.ofbiz.securityext.login;
+import java.io.UnsupportedEncodingException;
+import java.net.URLEncoder;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
@@ -259,12 +261,19 @@ public class LoginEvents {
} else {
passwordToSend =
supposedUserLogin.getString("currentPassword");
}
+ /* Its a Base64 string, it can contain + and this + will be
converted to space after decoding the url.
+ For example: passwordToSend "DGb1s2wgUQmwOBK9FK+fvQ==" will be
converted to "DGb1s2wgUQmwOBK9FK fvQ=="
+ So to fix it, done Url encoding of passwordToSend.
+ */
+ passwordToSend = URLEncoder.encode(passwordToSend, "UTF-8");
} catch (GenericEntityException e) {
Debug.logWarning(e, "", module);
Map<String, String> messageMap = UtilMisc.toMap("errorMessage",
e.toString());
errMsg = UtilProperties.getMessage(resource,
"loginevents.error_accessing_password", messageMap,
UtilHttp.getLocale(request));
request.setAttribute("_ERROR_MESSAGE_", errMsg);
return "error";
+ } catch (UnsupportedEncodingException e) {
+ e.printStackTrace();
}
StringBuilder emails = new StringBuilder();
