> On Apr 14, 2016, at 7:46 AM, Chris Pike <[email protected]> wrote:
>
> When creating a user using the fortress API, a userPassword field is created,
> even though I'm not specifying one for the user. What value is being put
> here? Is there a way to disable it's creation?
Currently it is hard-coded to place an empty string there if not otherwise set
by caller.
User create( User entity ) throws CreateException
{
...
// guard against npe
myEntry.add( SchemaConstants.USER_PASSWORD_AT, ArrayUtils.isNotEmpty(
entity.getPassword() ) ? new
String( entity.getPassword() ) : new String( new char[] {} ) );
When authenticate or createSession (w/ trusted == false) are called with a null
or empty password a SecurityException is thrown which means authentication will
always fail unless the password field is set.
cannot call createSession w/ empty password (unless trusted):
Session createSession( User user, boolean trusted ) throws SecurityException
{
Session session;
if ( trusted )
{
...
}
else
{
// Create the impl session if the user authentication succeeds:
VUtil.assertNotNullOrEmpty( user.getPassword(),
GlobalErrIds.USER_PW_NULL, CLS_NM + ".createSession" );
session = createSession( user );
cannot call authenticate with empty password:
@Override
public Session authenticate( String userId, char[] password )
throws SecurityException
{
String methodName = "authenticate";
VUtil.assertNotNullOrEmpty( userId, GlobalErrIds.USER_ID_NULL,
getFullMethodName( CLS_NM, methodName ) );
VUtil.assertNotNullOrEmpty( password, GlobalErrIds.USER_PW_NULL,
getFullMethodName( CLS_NM, methodName ) );
Shawn
