cvs commit: jakarta-jetspeed-2/components/security/src/java/org/apache/jetspeed/security/spi/impl DefaultInternalPasswordCredentialInterceptor.java

Wed, 02 Feb 2005 17:22:54 -0800 

ate         2005/02/02 17:22:51

  Modified:    
components/security/src/java/org/apache/jetspeed/security/spi/impl
                        DefaultInternalPasswordCredentialInterceptor.java
  Log:
  Invalid stored password is now always set to updateRequired after loading and 
not yet encoded
  so that it can be validated again before an admin sets updateRequired to 
false again: password has to be valid before that is allowed.
  
  Revision  Changes    Path
  1.4       +21 -5     
jakarta-jetspeed-2/components/security/src/java/org/apache/jetspeed/security/spi/impl/DefaultInternalPasswordCredentialInterceptor.java
  
  Index: DefaultInternalPasswordCredentialInterceptor.java
  ===================================================================
  RCS file: 
/home/cvs/jakarta-jetspeed-2/components/security/src/java/org/apache/jetspeed/security/spi/impl/DefaultInternalPasswordCredentialInterceptor.java,v
  retrieving revision 1.3
  retrieving revision 1.4
  diff -u -r1.3 -r1.4
  --- DefaultInternalPasswordCredentialInterceptor.java 12 Nov 2004 03:17:46 
-0000      1.3
  +++ DefaultInternalPasswordCredentialInterceptor.java 3 Feb 2005 01:22:51 
-0000       1.4
  @@ -43,14 +43,30 @@
               throws SecurityException
       {
           boolean updated = false;
  -        if (!credential.isEncoded() && pcProvider.getEncoder() != null)
  +        if (!credential.isEncoded())
           {
  +            boolean encode = pcProvider.getEncoder() != null;
               if ( pcProvider.getValidator() != null)
               {
  -                pcProvider.getValidator().validate(credential.getValue());
  +                try
  +                {
  +                    
pcProvider.getValidator().validate(credential.getValue());
  +                }
  +                catch (SecurityException e)
  +                {
  +                    // database contains an invalid password
  +                    // allow login (assuming the user knows the invalid 
value) but enforce an update
  +                    credential.setUpdateRequired(true);
  +                    // don't encode it yet to be able to check 
setUpdateRequired(false)
  +                    // in DefaultCredentialHandler.setPasswordUpdateRequired
  +                    encode = false;
  +                }
               }            
  -            
credential.setValue(pcProvider.getEncoder().encode(userName,credential.getValue()));
  -            credential.setEncoded(true);
  +            if ( encode )
  +            {
  +                
credential.setValue(pcProvider.getEncoder().encode(userName,credential.getValue()));
  +                credential.setEncoded(true);
  +            }
               updated = true;
           }
           return updated;
  
  
  

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to