DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=14914>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=14914 Crypting bug in LDAPUserManagement Summary: Crypting bug in LDAPUserManagement Product: Jetspeed Version: 1.4b2-dev / CVS Platform: PC OS/Version: Windows NT/2K Status: NEW Severity: Normal Priority: Other Component: Security AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] I'm very happy to see that Jetspeed's security package is now supporting LDAP. However, there's an encryption error in the LDAP classes, which forced us to override the default LDAP classes (we're having a deadline REAL soon). Here's a description of the error: Encryption of user's password is performed in the org.apache.jetspeed.om.security.ldap.LDAPUser class (in the "public boolean update(boolean create)" method). This is wrong place to do the encryption, since the password encryption is performed even if the user did not change his/her password at all, but updated some other field instead. For example, if user only changes his/her first name and leaves the new password field blank, the old and already encrypted password gets encrypted again. I believe that the correct place to do the encryption is in the org.apache.jetspeed.services.security.ldap.LDAPUserManagement class. There are three methods (addUser, changePassword, forcePassword) where the encryption should be performed. We are now performing the encryption there, and it seems to work without errors. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
