Thanks Hussein. See my responses below in blue.
----- Original Message ----- From: "Hussein Shafie" <[email protected]> To: "Darryl Young" <darryly at bluestream.com> Cc: <xmleditor-support at xmlmind.com>; "Jim Tivy" <jimt at bluestream.com>; "Nenad Furtula" <nenadf at bluestream.com>; <xmleditor-support at xmlmind.com> Sent: Friday, January 15, 2010 1:51 AM Subject: Re: [XXE] AuthenticationDialog issue > Darryl Young wrote: >> In our VDrive that integrates XXE with our XDocs CMS, we use the >> following code to call up your AuthenticationDialog: >> >> PasswordAuthentication pwAuth = Authenticator.requestPasswordAuthentication( >> host, null, port, "http", realm, scheme); >> >> The issue we are having is as follows: >> -- If the user makes an error in the initial login, then subsequent >> calls to the "requestPasswordAuthentication" method >> does not bring up the Authentication dialog, but rather the >> previous/cached PasswordAuthentication value is returned >> containing the first incorrect login credentials. (This happens whether >> we check the "Remember Username and Password" checkbox, or not). >> >> Therefore, the only way we are currently able to get logged in after >> such a series of events is to shut down XXE and start over. >> >> *Question: *Is there a call that I can access, that would allow me to >> reset the cached PasswordAuthentication value when I detect >> a login failure such as described above? >> > > No. > > > >> If not, do you have a recommendation as to how I might resolve this issue? >> > > This is clearly a bug. Sorry for that. We'll fix this bug in next > release[*] (~February 2010). [Darryl] - Unfortunately our current license only allows upgrades until Feb 6 - any chance the fix might be available before that date? > > Meanwhile, I don't see any workaround other than coding and installing > your own java.net.Authenticator. > > > > --- > [*] It's not possible to detect a login failure on XXE's side. (If you > know how to do that, you are welcome to inform us.) The fix will > probably be based on heuristics. [Darryl] I don't know how you would do it on your side either - the simplest fix is your suggestion below. > > We'll also add a public, documented, API (and may be also a UI) which > allows to clear the password cache. [Darryl] This would resolve the issue quite nicely from our perspective - I can easily detect a login failure inside our VDrive and then clear your PW cache - problem solved. > > > > -------------------------------------------------------------------------------- No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.725 / Virus Database: 270.14.141/2622 - Release Date: 01/14/10 11:35:00 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.xmlmind.com/pipermail/xmleditor-support/attachments/20100115/2c4ffadf/attachment-0001.htm
