[jira] [Updated] (SYNCOPE-417) Users are made active when updating in NoOpWorkflowAdapter

[Jesse van Bekkum (JIRA)]

 [ 
https://issues.apache.org/jira/browse/SYNCOPE-417?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jesse van Bekkum updated SYNCOPE-417:
-

Attachment: NoOpUserWorkflowAdapter.java.patch

Patch for this issue

 Users are made active when updating in NoOpWorkflowAdapter
 --

 Key: SYNCOPE-417
 URL: https://issues.apache.org/jira/browse/SYNCOPE-417
 Project: Syncope
  Issue Type: Bug
  Components: core
Affects Versions: 1.1.3
Reporter: Jesse van Bekkum
Priority: Minor
 Fix For: 1.1.4, 1.2.0

 Attachments: NoOpUserWorkflowAdapter.java.patch


 When using the NoOpWorkflow adapter a user is always set to active when an 
 update is done, even if the user is suspended. This is undesirable, I think a 
 user should stay in the state it is.
 This can be fixed by changing this line (117/118 of NoOpWorkflowAdapter.java):
 return new WorkflowResultMap.EntryLong, Boolean(
 new AbstractMap.SimpleEntryLong, Boolean(updated.getId(), 
 true), propByRes, update);
 into this:
 return new WorkflowResultMap.EntryLong, Boolean(
 new AbstractMap.SimpleEntryLong, Boolean(updated.getId(), 
 !user.isSuspended()), propByRes, update);

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Created] (SYNCOPE-374) SyncopeUser tokens do not use secure random strings

[Jesse van Bekkum (JIRA)]

Jesse van Bekkum created SYNCOPE-374:


 Summary: SyncopeUser tokens do not use secure random strings
 Key: SYNCOPE-374
 URL: https://issues.apache.org/jira/browse/SYNCOPE-374
 Project: Syncope
  Issue Type: Improvement
  Components: core
Affects Versions: 1.1.1
Reporter: Jesse van Bekkum
Priority: Minor


The SyncopeUser.generateToken() function generates a token using the 
RandomStringUtils class. This class uses the normal java random class, which 
uses the current time in milliseconds as seed.

This means that the generated tokens can be predicted by an attacker. This 
forum post explains the issue: 
http://stackoverflow.com/questions/1741160/how-can-i-create-a-password
It also lists some solutions.

It is more secure to use a cryptographically secure string, as explained here: 
http://commons.apache.org/proper/commons-math/userguide/random.html

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira