ate 2005/02/02 17:26:12 Modified: components/security/src/java/org/apache/jetspeed/security/spi/impl DefaultCredentialHandler.java Log: Throw more specialized SecurityExceptions to allow easier localization and don't allow setting updateRequired to false if the current password is invalid. Revision Changes Path 1.13 +24 -10 jakarta-jetspeed-2/components/security/src/java/org/apache/jetspeed/security/spi/impl/DefaultCredentialHandler.java Index: DefaultCredentialHandler.java =================================================================== RCS file: /home/cvs/jakarta-jetspeed-2/components/security/src/java/org/apache/jetspeed/security/spi/impl/DefaultCredentialHandler.java,v retrieving revision 1.12 retrieving revision 1.13 diff -u -r1.12 -r1.13 --- DefaultCredentialHandler.java 4 Dec 2004 21:08:18 -0000 1.12 +++ DefaultCredentialHandler.java 3 Feb 2005 01:26:12 -0000 1.13 @@ -24,6 +24,9 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import org.apache.jetspeed.security.InvalidNewPasswordException; +import org.apache.jetspeed.security.InvalidPasswordException; +import org.apache.jetspeed.security.PasswordAlreadyUsedException; import org.apache.jetspeed.security.SecurityException; import org.apache.jetspeed.security.om.InternalCredential; import org.apache.jetspeed.security.om.InternalUserPrincipal; @@ -145,29 +148,35 @@ credentials = new ArrayList(); } + InternalCredential credential = getPasswordCredential(internalUser, userName ); + if (null != oldPassword) { - if ( pcProvider.getValidator() != null ) - { - pcProvider.getValidator().validate(oldPassword); - } - if ( pcProvider.getEncoder() != null ) + if ( credential != null && + credential.getValue() != null && + credential.isEncoded() && + pcProvider.getEncoder() != null ) { oldPassword = pcProvider.getEncoder().encode(userName, oldPassword); } } - InternalCredential credential = getPasswordCredential(internalUser, userName ); - if (oldPassword != null && (credential == null || credential.getValue() == null || !credential.getValue().equals(oldPassword))) { // supplied PasswordCredential not defined for this user - throw new SecurityException(SecurityException.INVALID_PASSWORD); + throw new InvalidPasswordException(); } if ( pcProvider.getValidator() != null ) { - pcProvider.getValidator().validate(newPassword); + try + { + pcProvider.getValidator().validate(newPassword); + } + catch (InvalidPasswordException ipe) + { + throw new InvalidNewPasswordException(); + } } boolean encoded = false; @@ -196,7 +205,7 @@ } else if ( oldPassword.equals(newPassword) ) { - throw new SecurityException(SecurityException.INVALID_PASSWORD); + throw new PasswordAlreadyUsedException(); } if ( ipcInterceptor != null ) @@ -256,6 +265,11 @@ InternalCredential credential = getPasswordCredential(internalUser, userName ); if ( credential != null && !credential.isExpired() && credential.isUpdateRequired() != updateRequired ) { + // only allow setting updateRequired off if (non-Encoded) password is valid + if ( !updateRequired && !credential.isEncoded() && pcProvider.getValidator() != null ) + { + pcProvider.getValidator().validate(credential.getValue()); + } credential.setUpdateRequired(updateRequired); long time = new Date().getTime(); credential.setModifiedDate(new Timestamp(time));
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]