[
https://issues.apache.org/jira/browse/ISIS-2884?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17449181#comment-17449181
]
ASF subversion and git services commented on ISIS-2884:
-------------------------------------------------------
Commit 8d4b3f8dde0e81d21613b8a22fd75ecac579c2a9 in isis's branch
refs/heads/master from Andi Huber
[ https://gitbox.apache.org/repos/asf?p=isis.git;h=8d4b3f8 ]
ISIS-2884: fixes invalid use of password hash matching
- also ditching SecMan's PasswordEncryptionService in favor of Spring's
PasswordEncoder
- also adding IsisModuleExtSecmanEncryptionSpring as an alternative to
IsisModuleExtSecmanEncryptionJbcrypt
> Passwords not matching after restart
> ------------------------------------
>
> Key: ISIS-2884
> URL: https://issues.apache.org/jira/browse/ISIS-2884
> Project: Isis
> Issue Type: Bug
> Reporter: Daniel Keir Haywood
> Assignee: Andi Huber
> Priority: Major
> Fix For: 2.0.0-M7
>
>
> When I restart the web app the old passwords don’t work.
>
> I think this might be the cause of that:
>
> @Service
> @Named("isis.ext.secman.PasswordEncryptionServiceUsingJBcrypt")
> @javax.annotation.Priority(PriorityPrecedence.MIDPOINT)
> @Qualifier("JBCrypt")
> public class PasswordEncryptionServiceUsingJBcrypt implements
> PasswordEncryptionService {
> private String salt;
> private String getSalt() {
> if (salt == null) {
> salt = BCrypt.gensalt();
> }
> return salt;
> }
> @Override
> public String encrypt(String password) {
> return password == null ? null : BCrypt.hashpw(password, getSalt());
> }
> That looks like the salt is set on the service and would be different after
> the service is used following an app restart.
>
> One solution might be a variant that picks up the salt from a property file.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
