[
https://issues.apache.org/jira/browse/FTPSERVER-235?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Niklas Gustavsson closed FTPSERVER-235.
---------------------------------------
Resolution: Fixed
I fixed the uid->userid in the documentation (this was missed when we changed
the column name due to problems in Oracle). I also changed the documentation
for the SQL statement for the authentication statement. The reason this works
as it does is that we can not know the salt before we have done the select.
Also, since the password encryptor is pluggable, we leave it to its
implementation to verify the password, rather then the database.
> Documentation and code do not match for db user manager
> -------------------------------------------------------
>
> Key: FTPSERVER-235
> URL: https://issues.apache.org/jira/browse/FTPSERVER-235
> Project: FtpServer
> Issue Type: Bug
> Components: Core
> Affects Versions: 1.0.0-M3, 1.0.0-M4
> Reporter: nathan longley
> Assignee: Niklas Gustavsson
> Priority: Minor
> Fix For: 1.0.0-RC1
>
>
> In the examples on the
> website(http://cwiki.apache.org/FTPSERVER/database-user-manager.html) it
> shows:
> <authenticate>SELECT uid from FTP_USER WHERE uid='{uid}' AND
> userpassword='{userpassword}'</authenticate>
> (uid is wrong, is actually userid in all three places)
> but the code will never set userpassword
> in DbUserManager.authenticate
> it does
> HashMap<String, Object> map = new HashMap<String, Object>();
> map.put(ATTR_LOGIN, escapeString(user));
> String sql = StringUtils.replaceString(authenticateStmt, map);
> LOG.info(sql);
> and after it compares the stored password with the one the user entered.
> is this designed to be this way or the way described in the documentation, i
> think allowing it the way it is in the documentation allows for greater
> flexibility.
> if it is not a bug and is a design feature I will make a custom user manager.
> a fix that would match the documentation would be
> public User authenticate(Authentication authentication) throws
> AuthenticationFailedException {
> if (authentication instanceof UsernamePasswordAuthentication) {
> UsernamePasswordAuthentication upauth =
> (UsernamePasswordAuthentication) authentication;
> String user = upauth.getUsername();
> String password = upauth.getPassword();
> if (user == null) {
> throw new AuthenticationFailedException("Authentication
> failed");
> }
> if (password == null) {
> password = "";
> }
> Statement stmt = null;
> ResultSet rs = null;
> try {
> // create the sql query
> HashMap<String, Object> map = new HashMap<String, Object>();
> map.put(ATTR_LOGIN, escapeString(user));
> map.put(ATTR_PASSWORD, escapeString(password));
> String sql = StringUtils.replaceString(authenticateStmt, map);
> LOG.info(sql);
> // execute query
> stmt = createConnection().createStatement();
> rs = stmt.executeQuery(sql);
> if (rs.next()) {
> try {
> return getUserByName(user);
> } catch (FtpException e) {
> throw new
> AuthenticationFailedException("Authentication failed", e);
> }
> } else {
> throw new AuthenticationFailedException("Authentication
> failed");
> }
> } catch (SQLException ex) {
> LOG.error("DbUserManager.authenticate()", ex);
> throw new AuthenticationFailedException("Authentication
> failed", ex);
> } finally {
> closeQuitely(rs);
> closeQuitely(stmt);
> }
> } else if (authentication instanceof AnonymousAuthentication) {
> try {
> if (doesExist("anonymous")) {
> return getUserByName("anonymous");
> } else {
> throw new AuthenticationFailedException("Authentication
> failed");
> }
> } catch (AuthenticationFailedException e) {
> throw e;
> } catch (FtpException e) {
> throw new AuthenticationFailedException("Authentication
> failed", e);
> }
> } else {
> throw new IllegalArgumentException("Authentication not supported
> by this user manager");
> }
> }
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
