Author: hansbak
Date: Wed May 14 02:22:54 2008 New Revision: 656175 URL: http://svn.apache.org/viewvc?rev=656175&view=rev Log: a better fix than rev 656100 Modified: ofbiz/trunk/framework/base/src/base/org/ofbiz/base/crypto/HashCrypt.java ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java Modified: ofbiz/trunk/framework/base/src/base/org/ofbiz/base/crypto/HashCrypt.java URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/src/base/org/ofbiz/base/crypto/HashCrypt.java?rev=656175&r1=656174&r2=656175&view=diff ============================================================================== --- ofbiz/trunk/framework/base/src/base/org/ofbiz/base/crypto/HashCrypt.java (original) +++ ofbiz/trunk/framework/base/src/base/org/ofbiz/base/crypto/HashCrypt.java Wed May 14 02:22:54 2008 @@ -81,7 +81,7 @@ } public static String removeHashTypePrefix(String hashString) { - if (UtilValidate.isEmpty(hashString) || hashString.charAt(0) != '{') { + if (UtilValidate.isNotEmpty(hashString) || hashString.charAt(0) != '{') { return hashString; } Modified: ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java?rev=656175&r1=656174&r2=656175&view=diff ============================================================================== --- ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java (original) +++ ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java Wed May 14 02:22:54 2008 @@ -162,8 +162,7 @@ // if the password.accept.encrypted.and.plain property in security is set to true allow plain or encrypted passwords // if this is a system account don't bother checking the passwords if ((userLogin.get("currentPassword") != null && - (encodedPassword.equals(userLogin.getString("currentPassword")) || - HashCrypt.removeHashTypePrefix(encodedPassword).equals(userLogin.getString("currentPassword")) || + (HashCrypt.removeHashTypePrefix(encodedPassword).equals(userLogin.getString("currentPassword")) || HashCrypt.removeHashTypePrefix(encodedPasswordOldFunnyHexEncode).equals(userLogin.getString("currentPassword")) || HashCrypt.removeHashTypePrefix(encodedPasswordUsingDbHashType).equals(userLogin.getString("currentPassword")) || ("true".equals(UtilProperties.getPropertyValue("security.properties", "password.accept.encrypted.and.plain")) && password.equals(userLogin.getString("currentPassword")))))) { |
Hans: thanks for your attention and this, and sorry for delaying the fix. Login not working after a password change is a pretty serious bug! The problem was that in the LoginServices.userLogin method/service it wasn't removing the prefix from both the password entered and the password from the database (UserLogin.currentPassword). This last change you made fixed the problem because it effectively disabled the prefix removal. That can potentially cause other problems though, so I've changed that back to the prefix removal method works again, but now it is done on both sides so the comparison will work. I've tested this based on the changes in SVN rev 656515 and it is working fine now. -David On May 14, 2008, at 3:22 AM, [hidden email] wrote: > Author: hansbak > Date: Wed May 14 02:22:54 2008 > New Revision: 656175 > > URL: http://svn.apache.org/viewvc?rev=656175&view=rev > Log: > a better fix than rev 656100 > > Modified: > ofbiz/trunk/framework/base/src/base/org/ofbiz/base/crypto/ > HashCrypt.java > ofbiz/trunk/framework/common/src/org/ofbiz/common/login/ > LoginServices.java > > Modified: ofbiz/trunk/framework/base/src/base/org/ofbiz/base/crypto/ > HashCrypt.java > URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/src/base/org/ofbiz/base/crypto/HashCrypt.java?rev=656175&r1=656174&r2=656175&view=diff > = > = > = > = > = > = > = > = > ====================================================================== > --- ofbiz/trunk/framework/base/src/base/org/ofbiz/base/crypto/ > HashCrypt.java (original) > +++ ofbiz/trunk/framework/base/src/base/org/ofbiz/base/crypto/ > HashCrypt.java Wed May 14 02:22:54 2008 > @@ -81,7 +81,7 @@ > } > > public static String removeHashTypePrefix(String hashString) { > - if (UtilValidate.isEmpty(hashString) || > hashString.charAt(0) != '{') { > + if (UtilValidate.isNotEmpty(hashString) || > hashString.charAt(0) != '{') { > return hashString; > } > > > Modified: ofbiz/trunk/framework/common/src/org/ofbiz/common/login/ > LoginServices.java > URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java?rev=656175&r1=656174&r2=656175&view=diff > = > = > = > = > = > = > = > = > ====================================================================== > --- ofbiz/trunk/framework/common/src/org/ofbiz/common/login/ > LoginServices.java (original) > +++ ofbiz/trunk/framework/common/src/org/ofbiz/common/login/ > LoginServices.java Wed May 14 02:22:54 2008 > @@ -162,8 +162,7 @@ > // if the > password.accept.encrypted.and.plain property in security is set to > true allow plain or encrypted passwords > // if this is a system account don't bother > checking the passwords > if ((userLogin.get("currentPassword") != > null && > - > (encodedPassword.equals(userLogin.getString("currentPassword")) || > - > HashCrypt > .removeHashTypePrefix > (encodedPassword).equals(userLogin.getString("currentPassword")) || > + > (HashCrypt > .removeHashTypePrefix > (encodedPassword).equals(userLogin.getString("currentPassword")) || > > HashCrypt > .removeHashTypePrefix > (encodedPasswordOldFunnyHexEncode > ).equals(userLogin.getString("currentPassword")) || > > HashCrypt > .removeHashTypePrefix > (encodedPasswordUsingDbHashType > ).equals(userLogin.getString("currentPassword")) || > > ("true > ".equals(UtilProperties.getPropertyValue("security.properties", > "password.accept.encrypted.and.plain")) && > password.equals(userLogin.getString("currentPassword")))))) { > > |
Free forum by Nabble | Edit this page |