[jira] Commented: (JS1-516) UserUpdateAction re-encrypts encrypted password when secure.passwords=true

Tue, 07 Sep 2004 14:20:56 -0700 

The following comment has been added to this issue:

     Author: Arthur D'Alessandro
    Created: Tue, 7 Sep 2004 2:21 PM
       Body:
1.6 Patch (cleaner):
Index: org/apache/jetspeed/modules/actions/portlets/security/UserUpdateAction.java
===================================================================
RCS file: 
/home/cvspublic/jakarta-jetspeed/src/java/org/apache/jetspeed/modules/actions/portlets/security/UserUpdateAction.java,v
retrieving revision 1.17
diff -u -r1.17 UserUpdateAction.java
--- org/apache/jetspeed/modules/actions/portlets/security/UserUpdateAction.java 31 Mar 
2004 04:49:10 -0000      1.17
+++ org/apache/jetspeed/modules/actions/portlets/security/UserUpdateAction.java 7 Sep 
2004 21:08:25 -0000
@@ -392,6 +392,7 @@
         throws Exception
     {
         JetspeedUser user = null;
+        String strOriginalPassword= "";
         try
         {
             //
@@ -399,7 +400,8 @@
             //
             user = (JetspeedUser)JetspeedSecurity.getUser(
                             
rundata.getParameters().getString(SecurityConstants.PARAM_ENTITY_ID));
-
+            
+            String strOriginalPassword= user.getPassword();
             String name = rundata.getParameters().getString("username");
             if (name == null || name.trim().length() == 0)
             {
@@ -422,6 +424,7 @@
             boolean oldDisabled = user.getDisabled();
             rundata.getParameters().setProperties(user);
             user.setLastAccessDate();
+            user.setPasswowrd(strOriginalPassword);
 
             
JetspeedSecurity.forcePassword(user,rundata.getParameters().getString("password"));
 
Index: org/apache/jetspeed/services/security/turbine/TurbineUserManagement.java
===================================================================
RCS file: 
/home/cvspublic/jakarta-jetspeed/src/java/org/apache/jetspeed/services/security/turbine/TurbineUserManagement.java,v
retrieving revision 1.13
diff -u -r1.13 TurbineUserManagement.java
--- org/apache/jetspeed/services/security/turbine/TurbineUserManagement.java    23 Feb 
2004 03:54:49 -0000      1.13
+++ org/apache/jetspeed/services/security/turbine/TurbineUserManagement.java    7 Sep 
2004 21:08:26 -0000
@@ -452,7 +452,12 @@
             throw new UnknownUserException("The account '" +
                 user.getUserName() + "' does not exist");
         }
-        user.setPassword(JetspeedSecurity.encryptPassword(password));
+        if (user.getPassword().equalsIgnoreCase(password)) {
+            user.setPassword(password);
+        } else {
+            user.setPassword(JetspeedSecurity.encryptPassword(password));
+        }
+        
         // save the changes in the database immediately, to prevent the
         // password being 'reverted' to the old value if the user data
         // is lost somehow before it is saved at session's expiry.

---------------------------------------------------------------------
View this comment:
  http://issues.apache.org/jira/browse/JS1-516?page=comments#action_52940

---------------------------------------------------------------------
View the issue:
  http://issues.apache.org/jira/browse/JS1-516

Here is an overview of the issue:
---------------------------------------------------------------------
        Key: JS1-516
    Summary: UserUpdateAction re-encrypts encrypted password when secure.passwords=true
       Type: Bug

     Status: Unassigned
   Priority: Major

    Project: Jetspeed
 Components: 
             Security
   Versions:
             1.5

   Assignee: 
   Reporter: Arthur D'Alessandro

    Created: Fri, 3 Sep 2004 2:14 PM
    Updated: Tue, 7 Sep 2004 2:21 PM
Environment: Database: Postgres
JVM: J2DSK 1.4.02_04
OS: Redhat 9.x/Windows XPSP2

Description:
UserUpdateAction re-encrypts encrypted password when secure.passwords=true

Thus making the edit user capability unusable unless the purpose was to also reset the 
password.

I've been throwing around something simple, such as:

services.JetspeedSecurity.secure.passwords.allowblank=true|false

UserUpdateAction.doUpdate: Null password is ok, depending on 
if secure.passwords=true {
  if (password != null) {
    forcePassword(user,password)
  } else {
    if secure.passwords.allowblank {
      if (unsetpassword) {
        forcePassword(user,"")
      }
    } else {
      // Skip, no changes
    }
  }
}


Modify user-form.vm, add a checkbox next to password (if 
secure.passwords.allowblank=true) eg, Unset Password


---------------------------------------------------------------------
JIRA INFORMATION:
This message is automatically generated by JIRA.

If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa

If you want more information on JIRA, or have a bug to report see:
   http://www.atlassian.com/software/jira


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to