[
https://issues.apache.org/jira/browse/OFBIZ-7058?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15276002#comment-15276002 ]
Amardeep Singh Jhajj commented on OFBIZ-7058:
---------------------------------------------
Hi jacques,
I have worked on this issue and found that sometimes encrypted password string (Base64 String created from EntityCrypto's encrypt method) contain "+".
So on clicking the reset password link from email we get a reset password page and on saving the new password we get this error. The reason is "+" is converted to " "
after url decoding. For example: Below URL having encrypted token with "+"
https://localhost:8443/partymgr/control/passwordChange?USERNAME=DemoUser&password=CcXuJ3vDfba0J7A8xO+X5A==&forgotPwdFlag=true&tenantId=We can do any of the following fix:
1. We can pass encrypted token in form parameter instead of URL parameters. It would working fine. But, I have seen OFBIZ-4983 and found that previously we have used form itself but due to some email client related problems you have changed it to URL parameters.
2. We can also encode the encrypted token using URL encoder so that it is taken as it is in URL decoding. Here is the code snippet we can add:
{code}URLEncoder.encode(passwordToSend, "UTF-8"); {code}
Please let me know your views for fixing it. I have already attached the patch here using URLEncoder.
Thanks.
> New password set in forgot password workflow not works sometimes and gives error
> --------------------------------------------------------------------------------
>
> Key: OFBIZ-7058
> URL:
https://issues.apache.org/jira/browse/OFBIZ-7058> Project: OFBiz
> Issue Type: Bug
> Components: ALL COMPONENTS
> Affects Versions: Trunk
> Reporter: Amardeep Singh Jhajj
> Assignee: Amardeep Singh Jhajj
> Priority: Critical
> Attachments: OFBIZ-7058-screenshot-1.png, OFBIZ-7058-screenshot-2.png, OFBIZ-7058.patch
>
>
> Sometimes, on clicking the reset password link from "New password sent" email we get a reset password page and on saving the new password we get following error.
> [java] org.apache.shiro.crypto.CryptoException: Unable to execute 'doFinal' with cipher instance [javax.crypto.Cipher@3ea85a47].
> [java] at org.apache.shiro.crypto.JcaCipherService.crypt(JcaCipherService.java:462) ~[shiro-core-1.2.3.jar:1.2.3]
> [java] at org.apache.shiro.crypto.JcaCipherService.crypt(JcaCipherService.java:445) ~[shiro-core-1.2.3.jar:1.2.3]
> [java] at org.apache.shiro.crypto.JcaCipherService.decrypt(JcaCipherService.java:390) ~[shiro-core-1.2.3.jar:1.2.3]
> [java] at org.apache.shiro.crypto.JcaCipherService.decrypt(JcaCipherService.java:382) ~[shiro-core-1.2.3.jar:1.2.3]
> [java] at org.ofbiz.entity.util.EntityCrypto$ShiroStorageHandler.decryptValue(EntityCrypto.java:282) ~[ofbiz-entity.jar:?]
> [java] at org.ofbiz.entity.util.EntityCrypto.doDecrypt(EntityCrypto.java:147) ~[ofbiz-entity.jar:?]
> [java] at org.ofbiz.entity.util.EntityCrypto.decrypt(EntityCrypto.java:126) ~[ofbiz-entity.jar:?]
> [java] at org.ofbiz.webapp.control.LoginWorker.login(LoginWorker.java:389) ~[ofbiz-webapp.jar:?]
> [java] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_60]
> [java] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_60]
> [java] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_60]
> [java] at java.lang.reflect.Method.invoke(Method.java:497) ~[?:1.8.0_60]
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
Locked
