[jira] Created: (OFBIZ-3842) Security Update for forgotten passwords

Security Update for forgotten passwords
---------------------------------------

                 Key: OFBIZ-3842
                 URL: https://issues.apache.org/jira/browse/OFBIZ-3842
             Project: OFBiz
          Issue Type: Improvement
          Components: ALL COMPONENTS
    Affects Versions: SVN trunk
            Reporter: Sascha Rodekamp
             Fix For: SVN trunk
         Attachments: OFBIZ-3842_security.patch

Hi everybody,

here is a patch that generated a radom Password when the "require new password" function is called. In the current Trunk it's a kind of hard coded password that will be send to the user. After generating a new pass the "requireNewPassword" flag will be set to true (configurable).

Have a good day
Sascha

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-3842?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sascha Rodekamp updated OFBIZ-3842:
-----------------------------------

    Attachment: OFBIZ-3842_security.patch

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-3842?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12886636#action_12886636 ]

Sascha Rodekamp commented on OFBIZ-3842:
----------------------------------------

Hey,
did nobody have a comment to this patch, i find it quiete usefull :-)

Cheers
Sascha

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-3842?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Erwan de FERRIERES updated OFBIZ-3842:
--------------------------------------

    Assignee: Erwan de FERRIERES

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-3842?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12904553#action_12904553 ]

Erwan de FERRIERES commented on OFBIZ-3842:
-------------------------------------------

Hi Sascha,

why are you removing the hint on the new generated password ?

Cheers,

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-3842?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sascha Rodekamp updated OFBIZ-3842:
-----------------------------------

    Attachment: OFBIZ-3842_security.patch

Hi Erwan,

i think i removed the hint because that the fact that it is auto-generated is not obviously, but if you like to keep it. I created an update for the patch where the password hint is set as before.

Have a good day and thanks for comment.
Sascha

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-3842?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12904565#action_12904565 ]

Sascha Rodekamp commented on OFBIZ-3842:
----------------------------------------

Maybe an additional comment: The fact, that the pw hint refers to an auto generated pw makes it easier for people, which knows ofbiz, to get unauthorized access to the system.


--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-3842?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12922501#action_12922501 ]

Sascha Rodekamp commented on OFBIZ-3842:
----------------------------------------

Anything new here?

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-3842?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sascha Rodekamp updated OFBIZ-3842:
-----------------------------------

    Attachment: OFBIZ-3842_security.patch

update against the latest trunk

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-3842?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12928182#action_12928182 ]

Jacques Le Roux commented on OFBIZ-3842:
----------------------------------------

This looks good to me, though I'm not sure we want requirePasswordChange=true by default. It should be discussed on dev ML IMO, minor detail anyway.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.