Author: jleroux
Date: Mon May 9 18:53:40 2016
New Revision: 1743025
URL:
http://svn.apache.org/viewvc?rev=1743025&view=revLog:
A patch from Amardeep Singh Jhajj for "New password set in forgot password workflow not works sometimes and gives error"
https://issues.apache.org/jira/browse/OFBIZ-7058Sometimes, on clicking the reset password link from "New password sent" email we get a reset password page and on saving the new password we get following error.
[java] org.apache.shiro.crypto.CryptoException: Unable to execute 'doFinal' with cipher instance [javax.crypto.Cipher@3ea85a47].
[java] at org.apache.shiro.crypto.JcaCipherService.crypt(JcaCipherService.java:462) ~[shiro-core-1.2.3.jar:1.2.3]
[java] at org.apache.shiro.crypto.JcaCipherService.crypt(JcaCipherService.java:445) ~[shiro-core-1.2.3.jar:1.2.3]
[java] at org.apache.shiro.crypto.JcaCipherService.decrypt(JcaCipherService.java:390) ~[shiro-core-1.2.3.jar:1.2.3]
[java] at org.apache.shiro.crypto.JcaCipherService.decrypt(JcaCipherService.java:382) ~[shiro-core-1.2.3.jar:1.2.3]
[java] at org.ofbiz.entity.util.EntityCrypto$ShiroStorageHandler.decryptValue(EntityCrypto.java:282) ~[ofbiz-entity.jar:?]
[java] at org.ofbiz.entity.util.EntityCrypto.doDecrypt(EntityCrypto.java:147) ~[ofbiz-entity.jar:?]
[java] at org.ofbiz.entity.util.EntityCrypto.decrypt(EntityCrypto.java:126) ~[ofbiz-entity.jar:?]
[java] at org.ofbiz.webapp.control.LoginWorker.login(LoginWorker.java:389) ~[ofbiz-webapp.jar:?]
I found that sometimes encrypted password string (Base64 String created from EntityCrypto's encrypt method) contain "+".
So on clicking the reset password link from email we get a reset password page and on saving the new password we get this error. The reason is "+" is converted to " "
after url decoding. For example: Below URL having encrypted token with "+"
https://localhost:8443/partymgr/control/passwordChange?USERNAME=DemoUser&password=CcXuJ3vDfba0J7A8xO+X5A==&forgotPwdFlag=true&tenantId=We can encrypt the token using URL encoder so that it is taken as it is in URL decoding.
Modified:
ofbiz/trunk/applications/securityext/src/org/ofbiz/securityext/login/LoginEvents.java
Modified: ofbiz/trunk/applications/securityext/src/org/ofbiz/securityext/login/LoginEvents.java
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/applications/securityext/src/org/ofbiz/securityext/login/LoginEvents.java?rev=1743025&r1=1743024&r2=1743025&view=diff==============================================================================
--- ofbiz/trunk/applications/securityext/src/org/ofbiz/securityext/login/LoginEvents.java (original)
+++ ofbiz/trunk/applications/securityext/src/org/ofbiz/securityext/login/LoginEvents.java Mon May 9 18:53:40 2016
@@ -19,6 +19,8 @@
package org.ofbiz.securityext.login;
+import java.io.UnsupportedEncodingException;
+import java.net.URLEncoder;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
@@ -259,12 +261,19 @@ public class LoginEvents {
} else {
passwordToSend = supposedUserLogin.getString("currentPassword");
}
+ /* Its a Base64 string, it can contain + and this + will be converted to space after decoding the url.
+ For example: passwordToSend "DGb1s2wgUQmwOBK9FK+fvQ==" will be converted to "DGb1s2wgUQmwOBK9FK fvQ=="
+ So to fix it, done Url encoding of passwordToSend.
+ */
+ passwordToSend = URLEncoder.encode(passwordToSend, "UTF-8");
} catch (GenericEntityException e) {
Debug.logWarning(e, "", module);
Map<String, String> messageMap = UtilMisc.toMap("errorMessage", e.toString());
errMsg = UtilProperties.getMessage(resource, "loginevents.error_accessing_password", messageMap, UtilHttp.getLocale(request));
request.setAttribute("_ERROR_MESSAGE_", errMsg);
return "error";
+ } catch (UnsupportedEncodingException e) {
+ e.printStackTrace();
}
StringBuilder emails = new StringBuilder();
Locked
