[
https://issues.apache.org/jira/browse/FTPSERVER-235?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Niklas Gustavsson updated FTPSERVER-235:
----------------------------------------
Fix Version/s: (was: 1.0.0-M4)
1.0.0-RC1
Affects Version/s: 1.0.0-M4
> Documentation and code do not match for db user manager
> -------------------------------------------------------
>
> Key: FTPSERVER-235
> URL: https://issues.apache.org/jira/browse/FTPSERVER-235
> Project: FtpServer
> Issue Type: Bug
> Components: Core
> Affects Versions: 1.0.0-M3, 1.0.0-M4
> Reporter: nathan longley
> Assignee: Niklas Gustavsson
> Priority: Minor
> Fix For: 1.0.0-RC1
>
>
> In the examples on the
> website(http://cwiki.apache.org/FTPSERVER/database-user-manager.html) it
> shows:
> <authenticate>SELECT uid from FTP_USER WHERE uid='{uid}' AND
> userpassword='{userpassword}'</authenticate>
> (uid is wrong, is actually userid in all three places)
> but the code will never set userpassword
> in DbUserManager.authenticate
> it does
> HashMap<String, Object> map = new HashMap<String, Object>();
> map.put(ATTR_LOGIN, escapeString(user));
> String sql = StringUtils.replaceString(authenticateStmt, map);
> LOG.info(sql);
> and after it compares the stored password with the one the user entered.
> is this designed to be this way or the way described in the documentation, i
> think allowing it the way it is in the documentation allows for greater
> flexibility.
> if it is not a bug and is a design feature I will make a custom user manager.
> a fix that would match the documentation would be
> public User authenticate(Authentication authentication) throws
> AuthenticationFailedException {
> if (authentication instanceof UsernamePasswordAuthentication) {
> UsernamePasswordAuthentication upauth =
> (UsernamePasswordAuthentication) authentication;
> String user = upauth.getUsername();
> String password = upauth.getPassword();
> if (user == null) {
> throw new AuthenticationFailedException("Authentication
> failed");
> }
> if (password == null) {
> password = "";
> }
> Statement stmt = null;
> ResultSet rs = null;
> try {
> // create the sql query
> HashMap<String, Object> map = new HashMap<String, Object>();
> map.put(ATTR_LOGIN, escapeString(user));
> map.put(ATTR_PASSWORD, escapeString(password));
> String sql = StringUtils.replaceString(authenticateStmt, map);
> LOG.info(sql);
> // execute query
> stmt = createConnection().createStatement();
> rs = stmt.executeQuery(sql);
> if (rs.next()) {
> try {
> return getUserByName(user);
> } catch (FtpException e) {
> throw new
> AuthenticationFailedException("Authentication failed", e);
> }
> } else {
> throw new AuthenticationFailedException("Authentication
> failed");
> }
> } catch (SQLException ex) {
> LOG.error("DbUserManager.authenticate()", ex);
> throw new AuthenticationFailedException("Authentication
> failed", ex);
> } finally {
> closeQuitely(rs);
> closeQuitely(stmt);
> }
> } else if (authentication instanceof AnonymousAuthentication) {
> try {
> if (doesExist("anonymous")) {
> return getUserByName("anonymous");
> } else {
> throw new AuthenticationFailedException("Authentication
> failed");
> }
> } catch (AuthenticationFailedException e) {
> throw e;
> } catch (FtpException e) {
> throw new AuthenticationFailedException("Authentication
> failed", e);
> }
> } else {
> throw new IllegalArgumentException("Authentication not supported
> by this user manager");
> }
> }
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
