Re: svn commit: r656175 - in /ofbiz/trunk/framework: base/src/base/org/ofbiz/base/crypto/HashCrypt.java common/src/org/ofbiz/common/login/LoginServices.java

Wed, 14 May 2008 23:18:55 -0700 



Hans: thanks for your attention and this, and sorry for delaying the  
fix. Login not working after a password change is a pretty serious bug!



The problem was that in the LoginServices.userLogin method/service it  
wasn't removing the prefix from both the password entered and the  
password from the database (UserLogin.currentPassword).



This last change you made fixed the problem because it effectively  
disabled the prefix removal. That can potentially cause other problems  
though, so I've changed that back to the prefix removal method works  
again, but now it is done on both sides so the comparison will work.



I've tested this based on the changes in SVN rev 656515 and it is  
working fine now.


-David


On May 14, 2008, at 3:22 AM, [EMAIL PROTECTED] wrote:


Author: hansbak
Date: Wed May 14 02:22:54 2008
New Revision: 656175

URL: http://svn.apache.org/viewvc?rev=656175&view=rev
Log:
a better fix than rev 656100

Modified:

   ofbiz/trunk/framework/base/src/base/org/ofbiz/base/crypto/ 
HashCrypt.java
   ofbiz/trunk/framework/common/src/org/ofbiz/common/login/ 
LoginServices.java



Modified: ofbiz/trunk/framework/base/src/base/org/ofbiz/base/crypto/ 
HashCrypt.java

URL: 
http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/src/base/org/ofbiz/base/crypto/HashCrypt.java?rev=656175&r1=656174&r2=656175&view=diff

= 
= 
= 
= 
= 
= 
= 
= 
======================================================================
--- ofbiz/trunk/framework/base/src/base/org/ofbiz/base/crypto/ 
HashCrypt.java (original)
+++ ofbiz/trunk/framework/base/src/base/org/ofbiz/base/crypto/ 
HashCrypt.java Wed May 14 02:22:54 2008

@@ -81,7 +81,7 @@
    }

    public static String removeHashTypePrefix(String hashString) {

-        if (UtilValidate.isEmpty(hashString) ||  
hashString.charAt(0) != '{') {
+        if (UtilValidate.isNotEmpty(hashString) ||  
hashString.charAt(0) != '{') {

            return hashString;
        }



Modified: ofbiz/trunk/framework/common/src/org/ofbiz/common/login/ 
LoginServices.java

URL: 
http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java?rev=656175&r1=656174&r2=656175&view=diff

= 
= 
= 
= 
= 
= 
= 
= 
======================================================================
--- ofbiz/trunk/framework/common/src/org/ofbiz/common/login/ 
LoginServices.java (original)
+++ ofbiz/trunk/framework/common/src/org/ofbiz/common/login/ 
LoginServices.java Wed May 14 02:22:54 2008

@@ -162,8 +162,7 @@

                        // if the  
password.accept.encrypted.and.plain property in security is set to  
true allow plain or encrypted passwords
                        // if this is a system account don't bother  
checking the passwords
                        if ((userLogin.get("currentPassword") !=  
null &&
-                             
(encodedPassword.equals(userLogin.getString("currentPassword")) ||
-                            		 
HashCrypt 
.removeHashTypePrefix 
(encodedPassword).equals(userLogin.getString("currentPassword")) ||
+                             
(HashCrypt 
.removeHashTypePrefix 
(encodedPassword).equals(userLogin.getString("currentPassword")) ||
                                     
HashCrypt 
.removeHashTypePrefix 
(encodedPasswordOldFunnyHexEncode 
).equals(userLogin.getString("currentPassword")) ||
                                     
HashCrypt 
.removeHashTypePrefix 
(encodedPasswordUsingDbHashType 
).equals(userLogin.getString("currentPassword")) ||
                                 
("true 
".equals(UtilProperties.getPropertyValue("security.properties",  
"password.accept.encrypted.and.plain")) &&  
password.equals(userLogin.getString("currentPassword")))))) {



















    











					Reply via email to