OFBiz OFBiz - Commits

svn commit: r1038209 - in /ofbiz/trunk: applications/securityext/build.xml applications/securityext/src/org/ofbiz/securityext/login/LoginEvents.java framework/security/config/security.properties

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
jleroux@apache.org
Reply | Threaded
Open this post in threaded view
|

svn commit: r1038209 - in /ofbiz/trunk: applications/securityext/build.xml applications/securityext/src/org/ofbiz/securityext/login/LoginEvents.java framework/security/config/security.properties

jleroux@apache.org
Author: jleroux
Date: Tue Nov 23 17:13:53 2010
New Revision: 1038209

URL: http://svn.apache.org/viewvc?rev=1038209&view=rev
Log:
A patch from Sascha Rodekamp "Security Update for forgotten passwords " (https://issues.apache.org/jira/browse/OFBIZ-3842) - OFBIZ-3842

Improve the a random Password generation when the "require new password" function is called. In the current Trunk it's a kind of hard coded password that will be send to the user. After generating a new pass the "requireNewPassword" flag will be set to true (configurable).

Modified:
    ofbiz/trunk/applications/securityext/build.xml
    ofbiz/trunk/applications/securityext/src/org/ofbiz/securityext/login/LoginEvents.java
    ofbiz/trunk/framework/security/config/security.properties

Modified: ofbiz/trunk/applications/securityext/build.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/securityext/build.xml?rev=1038209&r1=1038208&r2=1038209&view=diff
==============================================================================
--- ofbiz/trunk/applications/securityext/build.xml (original)
+++ ofbiz/trunk/applications/securityext/build.xml Tue Nov 23 17:13:53 2010
@@ -32,6 +32,7 @@ under the License.
     <path id="local.class.path">
         <!--<fileset dir="${lib.dir}" includes="*.jar"/>-->
         <fileset dir="../../framework/base/lib" includes="*.jar"/>
+        <fileset dir="../../framework/base/lib/commons" includes="*.jar"/>
         <fileset dir="../../framework/base/lib/j2eespecs" includes="*.jar"/>
         <fileset dir="../../framework/base/build/lib" includes="*.jar"/>
         <fileset dir="../../framework/entity/lib" includes="*.jar"/>

Modified: ofbiz/trunk/applications/securityext/src/org/ofbiz/securityext/login/LoginEvents.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/securityext/src/org/ofbiz/securityext/login/LoginEvents.java?rev=1038209&r1=1038208&r2=1038209&view=diff
==============================================================================
--- ofbiz/trunk/applications/securityext/src/org/ofbiz/securityext/login/LoginEvents.java (original)
+++ ofbiz/trunk/applications/securityext/src/org/ofbiz/securityext/login/LoginEvents.java Tue Nov 23 17:13:53 2010
@@ -29,6 +29,8 @@ import javax.servlet.http.HttpSession;
 
 import javolution.util.FastMap;
 
+import org.apache.commons.lang.RandomStringUtils;
+
 import org.ofbiz.base.util.Debug;
 import org.ofbiz.base.util.UtilFormatOut;
 import org.ofbiz.base.util.UtilHttp;
@@ -211,12 +213,12 @@ public class LoginEvents {
             }
             if (useEncryption) {
                 // password encrypted, can't send, generate new password and email to user
-                double randNum = Math.random();
-
-                // multiply by 100,000 to usually make a 5 digit number
-                passwordToSend = "auto" + ((long) (randNum * 100000));
+                passwordToSend = RandomStringUtils.randomAlphanumeric(Integer.parseInt(UtilProperties.getPropertyValue("security", "password.length.min", "5")));
                 supposedUserLogin.set("currentPassword", HashCrypt.getDigestHash(passwordToSend, LoginServices.getHashType()));
                 supposedUserLogin.set("passwordHint", "Auto-Generated Password");
+                if ("true".equals(UtilProperties.getPropertyValue("security.properties", "password.email_password.require_password_change"))){
+                    supposedUserLogin.set("requirePasswordChange", "Y");
+                }
             } else {
                 passwordToSend = supposedUserLogin.getString("currentPassword");
             }

Modified: ofbiz/trunk/framework/security/config/security.properties
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/security/config/security.properties?rev=1038209&r1=1038208&r2=1038209&view=diff
==============================================================================
--- ofbiz/trunk/framework/security/config/security.properties (original)
+++ ofbiz/trunk/framework/security/config/security.properties Tue Nov 23 17:13:53 2010
@@ -48,6 +48,9 @@ store.login.history.incorrect.password=t
 # -- should we encrypt (SHA Hash) the password? --
 password.encrypt=true
 
+# -- set requirePasswordChange to true, after emailPassword --
+password.email_password.require_password_change=true
+
 # -- specify the type of hash to use for one-way encryption, will be passed to java.security.MessageDigest.getInstance() --
 # -- options may include: SHA, MD5, etc
 password.encrypt.hash.type=SHA


Free forum by Nabble Edit this page