Any objection if I modify the code to allow not setting the user password field via a property? Something like
user.creation.field.password.disable=true ----- Original Message ----- From: "Shawn McKinney" <[email protected]> To: [email protected] Sent: Thursday, April 14, 2016 9:12:08 AM Subject: Re: User Password Field > On Apr 14, 2016, at 7:46 AM, Chris Pike <[email protected]> wrote: > > When creating a user using the fortress API, a userPassword field is created, > even though I'm not specifying one for the user. What value is being put > here? Is there a way to disable it's creation? Currently it is hard-coded to place an empty string there if not otherwise set by caller. User create( User entity ) throws CreateException { ... // guard against npe myEntry.add( SchemaConstants.USER_PASSWORD_AT, ArrayUtils.isNotEmpty( entity.getPassword() ) ? new String( entity.getPassword() ) : new String( new char[] {} ) ); When authenticate or createSession (w/ trusted == false) are called with a null or empty password a SecurityException is thrown which means authentication will always fail unless the password field is set. cannot call createSession w/ empty password (unless trusted): Session createSession( User user, boolean trusted ) throws SecurityException { Session session; if ( trusted ) { ... } else { // Create the impl session if the user authentication succeeds: VUtil.assertNotNullOrEmpty( user.getPassword(), GlobalErrIds.USER_PW_NULL, CLS_NM + ".createSession" ); session = createSession( user ); cannot call authenticate with empty password: @Override public Session authenticate( String userId, char[] password ) throws SecurityException { String methodName = "authenticate"; VUtil.assertNotNullOrEmpty( userId, GlobalErrIds.USER_ID_NULL, getFullMethodName( CLS_NM, methodName ) ); VUtil.assertNotNullOrEmpty( password, GlobalErrIds.USER_PW_NULL, getFullMethodName( CLS_NM, methodName ) ); Shawn
