Hi all,
To be able to implement the enhanced password security (see: http://issues.apache.org/jira/browse/JS2-151) I had to make a few changed to the security component interfaces and quite a lot in its implementation. Tonight changes only lay the foundation for JS2-151 which implementation I will start with now.
The current functionality of J2 isn't changed so far, but the security credential data as stored in the database is changed.
I've changed the PasswordCredential class to an interface (to allow more flexibility) and added o.a.j.security.spi.impl.DefaultPasswordCredentialImpl as replacement for the old PasswordCredential.
The CLASSNAME field of the SECURITY_CREDENTIAL table contains the class name of the PasswordCredential class used by the CredentialHandler and thus is changed from o.a.j.security.PasswordCredential to the above mentioned.
The maven db.recreate goal (called from the quickStart goal) will automatically insert the corrected demo data, but for those creating users themselves (including their password) through SQL will have to adapt their scripts used for that and update their current data in the database as well. Forgetting to do so will result in users not being able anymore to login and a LoginException with message "Authentication failed: Password does not match" will be thrown from the DefaultLoginModule which is displayed on the Tomcat console.
The upcoming changes I'll have to make for the implementation of JS2-151 will require further changes to the SECURITY_CREDENTIAL table (additional fields). When that happens I'll put out another warning to the list.
Regards,
Ate
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]