svn commit: r656175 - in /ofbiz/trunk/framework: base/src/base/org/ofbiz/base/crypto/HashCrypt.java common/src/org/ofbiz/common/login/LoginServices.java

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

svn commit: r656175 - in /ofbiz/trunk/framework: base/src/base/org/ofbiz/base/crypto/HashCrypt.java common/src/org/ofbiz/common/login/LoginServices.java

hansbak-2
Author: hansbak
Date: Wed May 14 02:22:54 2008
New Revision: 656175

URL: http://svn.apache.org/viewvc?rev=656175&view=rev
Log:
a better fix than rev 656100

Modified:
    ofbiz/trunk/framework/base/src/base/org/ofbiz/base/crypto/HashCrypt.java
    ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java

Modified: ofbiz/trunk/framework/base/src/base/org/ofbiz/base/crypto/HashCrypt.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/src/base/org/ofbiz/base/crypto/HashCrypt.java?rev=656175&r1=656174&r2=656175&view=diff
==============================================================================
--- ofbiz/trunk/framework/base/src/base/org/ofbiz/base/crypto/HashCrypt.java (original)
+++ ofbiz/trunk/framework/base/src/base/org/ofbiz/base/crypto/HashCrypt.java Wed May 14 02:22:54 2008
@@ -81,7 +81,7 @@
     }
     
     public static String removeHashTypePrefix(String hashString) {
-        if (UtilValidate.isEmpty(hashString) || hashString.charAt(0) != '{') {
+        if (UtilValidate.isNotEmpty(hashString) || hashString.charAt(0) != '{') {
             return hashString;
         }
         

Modified: ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java?rev=656175&r1=656174&r2=656175&view=diff
==============================================================================
--- ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java (original)
+++ ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java Wed May 14 02:22:54 2008
@@ -162,8 +162,7 @@
                         // if the password.accept.encrypted.and.plain property in security is set to true allow plain or encrypted passwords
                         // if this is a system account don't bother checking the passwords
                         if ((userLogin.get("currentPassword") != null &&
-                            (encodedPassword.equals(userLogin.getString("currentPassword")) ||
-                             HashCrypt.removeHashTypePrefix(encodedPassword).equals(userLogin.getString("currentPassword")) ||
+                            (HashCrypt.removeHashTypePrefix(encodedPassword).equals(userLogin.getString("currentPassword")) ||
                                     HashCrypt.removeHashTypePrefix(encodedPasswordOldFunnyHexEncode).equals(userLogin.getString("currentPassword")) ||
                                     HashCrypt.removeHashTypePrefix(encodedPasswordUsingDbHashType).equals(userLogin.getString("currentPassword")) ||
                                 ("true".equals(UtilProperties.getPropertyValue("security.properties", "password.accept.encrypted.and.plain")) && password.equals(userLogin.getString("currentPassword")))))) {


Reply | Threaded
Open this post in threaded view
|

Re: svn commit: r656175 - in /ofbiz/trunk/framework: base/src/base/org/ofbiz/base/crypto/HashCrypt.java common/src/org/ofbiz/common/login/LoginServices.java

David E Jones-2


Hans: thanks for your attention and this, and sorry for delaying the  
fix. Login not working after a password change is a pretty serious bug!

The problem was that in the LoginServices.userLogin method/service it  
wasn't removing the prefix from both the password entered and the  
password from the database (UserLogin.currentPassword).

This last change you made fixed the problem because it effectively  
disabled the prefix removal. That can potentially cause other problems  
though, so I've changed that back to the prefix removal method works  
again, but now it is done on both sides so the comparison will work.

I've tested this based on the changes in SVN rev 656515 and it is  
working fine now.

-David


On May 14, 2008, at 3:22 AM, [hidden email] wrote:

> Author: hansbak
> Date: Wed May 14 02:22:54 2008
> New Revision: 656175
>
> URL: http://svn.apache.org/viewvc?rev=656175&view=rev
> Log:
> a better fix than rev 656100
>
> Modified:
>    ofbiz/trunk/framework/base/src/base/org/ofbiz/base/crypto/
> HashCrypt.java
>    ofbiz/trunk/framework/common/src/org/ofbiz/common/login/
> LoginServices.java
>
> Modified: ofbiz/trunk/framework/base/src/base/org/ofbiz/base/crypto/
> HashCrypt.java
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/src/base/org/ofbiz/base/crypto/HashCrypt.java?rev=656175&r1=656174&r2=656175&view=diff
> =
> =
> =
> =
> =
> =
> =
> =
> ======================================================================
> --- ofbiz/trunk/framework/base/src/base/org/ofbiz/base/crypto/
> HashCrypt.java (original)
> +++ ofbiz/trunk/framework/base/src/base/org/ofbiz/base/crypto/
> HashCrypt.java Wed May 14 02:22:54 2008
> @@ -81,7 +81,7 @@
>     }
>
>     public static String removeHashTypePrefix(String hashString) {
> -        if (UtilValidate.isEmpty(hashString) ||  
> hashString.charAt(0) != '{') {
> +        if (UtilValidate.isNotEmpty(hashString) ||  
> hashString.charAt(0) != '{') {
>             return hashString;
>         }
>
>
> Modified: ofbiz/trunk/framework/common/src/org/ofbiz/common/login/
> LoginServices.java
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java?rev=656175&r1=656174&r2=656175&view=diff
> =
> =
> =
> =
> =
> =
> =
> =
> ======================================================================
> --- ofbiz/trunk/framework/common/src/org/ofbiz/common/login/
> LoginServices.java (original)
> +++ ofbiz/trunk/framework/common/src/org/ofbiz/common/login/
> LoginServices.java Wed May 14 02:22:54 2008
> @@ -162,8 +162,7 @@
>                         // if the  
> password.accept.encrypted.and.plain property in security is set to  
> true allow plain or encrypted passwords
>                         // if this is a system account don't bother  
> checking the passwords
>                         if ((userLogin.get("currentPassword") !=  
> null &&
> -                            
> (encodedPassword.equals(userLogin.getString("currentPassword")) ||
> -                            
> HashCrypt
> .removeHashTypePrefix
> (encodedPassword).equals(userLogin.getString("currentPassword")) ||
> +                            
> (HashCrypt
> .removeHashTypePrefix
> (encodedPassword).equals(userLogin.getString("currentPassword")) ||
>                                      
> HashCrypt
> .removeHashTypePrefix
> (encodedPasswordOldFunnyHexEncode
> ).equals(userLogin.getString("currentPassword")) ||
>                                      
> HashCrypt
> .removeHashTypePrefix
> (encodedPasswordUsingDbHashType
> ).equals(userLogin.getString("currentPassword")) ||
>                                  
> ("true
> ".equals(UtilProperties.getPropertyValue("security.properties",  
> "password.accept.encrypted.and.plain")) &&  
> password.equals(userLogin.getString("currentPassword")))))) {
>
>