Re: Bug in validateUser

Tue, 15 Feb 2000 08:50:59 -0800 

I would prefer that we go the route of not allowing the password column to
be null.  Though maybe there is good reason not to.  In the db schemas, we
require the user to have a first and last name (they are specified NOT
NULL), but we allow the password to be null.  If we are allowing a null
password field, we should probably allow login without a password.  However:

It seems bad security policy to only have a login ID, especially since we
are requiring it to be unique. For instance in a system with
self-registration, a user would know someone else's login ID, if they
attempted to reserve it for themselves and were not allowed to have it.
This is why you have a second part, the password, that is not required to be
unique.

Are there good reasons to eliminate the password?

John McNally

----- Original Message -----
From: christopher baus <[EMAIL PROTECTED]>
To: Turbine <[EMAIL PROTECTED]>
Sent: Monday, February 14, 2000 9:45 PM
Subject: Bug in validateUser


> In UserFactory.validateUser it is possible that password could be null in
> the visitor table PASSWORD_VALUE field.  This causes a null pointer
> exception at
>
> if (  user.getPassword().equals(password) )
>
> I assume the following is the correct implementation with a boolean short
> circuit.  Of course this will allow a user to login without a password
which
> may or not be desirable.
>
> if (user.getPassword() == null && password == null ||
> user.getPassword().equals(password))
>
>
> Here's the context of the change.....
> ============================================
>
> /**
>   0: username and password is valid<br>
>   1: username is not valid<br>
>   2: password is not valid
>  */
>  static int validateUser(User user, String password)
>  {
>
>         if ( user != null )
>         {
>             if (  user.getPassword().equals(password) )
>             {
>                 return 0;
>             }
>       else
>    {
>     return 2;
>    }
>   }
>   return 1;
>  }
>
> =========================================
> cheers,
>
> christopher
>
>
>
> ------------------------------------------------------------
> To subscribe:        [EMAIL PROTECTED]
> To unsubscribe:      [EMAIL PROTECTED]
> Problems?:           [EMAIL PROTECTED]
>



------------------------------------------------------------
To subscribe:        [EMAIL PROTECTED]
To unsubscribe:      [EMAIL PROTECTED]
Problems?:           [EMAIL PROTECTED]

Reply via email to