[
https://issues.apache.org/jira/browse/OFBIZ-7058?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15276002#comment-15276002
]
Amardeep Singh Jhajj commented on OFBIZ-7058:
---------------------------------------------
Hi jacques,
I have worked on this issue and found that sometimes encrypted password string
(Base64 String created from EntityCrypto's encrypt method) contain "+".
So on clicking the reset password link from email we get a reset password page
and on saving the new password we get this error. The reason is "+" is
converted to " "
after url decoding. For example: Below URL having encrypted token with "+"
https://localhost:8443/partymgr/control/passwordChange?USERNAME=DemoUser&password=CcXuJ3vDfba0J7A8xO+X5A==&forgotPwdFlag=true&tenantId=
We can do any of the following fix:
1. We can pass encrypted token in form parameter instead of URL parameters. It
would working fine. But, I have seen OFBIZ-4983 and found that previously we
have used form itself but due to some email client related problems you have
changed it to URL parameters.
2. We can also encode the encrypted token using URL encoder so that it is taken
as it is in URL decoding. Here is the code snippet we can add:
{code}URLEncoder.encode(passwordToSend, "UTF-8"); {code}
Please let me know your views for fixing it. I have already attached the patch
here using URLEncoder.
Thanks.
> New password set in forgot password workflow not works sometimes and gives
> error
> --------------------------------------------------------------------------------
>
> Key: OFBIZ-7058
> URL: https://issues.apache.org/jira/browse/OFBIZ-7058
> Project: OFBiz
> Issue Type: Bug
> Components: ALL COMPONENTS
> Affects Versions: Trunk
> Reporter: Amardeep Singh Jhajj
> Assignee: Amardeep Singh Jhajj
> Priority: Critical
> Attachments: OFBIZ-7058-screenshot-1.png,
> OFBIZ-7058-screenshot-2.png, OFBIZ-7058.patch
>
>
> Sometimes, on clicking the reset password link from "New password sent" email
> we get a reset password page and on saving the new password we get following
> error.
> [java] org.apache.shiro.crypto.CryptoException: Unable to execute 'doFinal'
> with cipher instance [javax.crypto.Cipher@3ea85a47].
> [java] at
> org.apache.shiro.crypto.JcaCipherService.crypt(JcaCipherService.java:462)
> ~[shiro-core-1.2.3.jar:1.2.3]
> [java] at
> org.apache.shiro.crypto.JcaCipherService.crypt(JcaCipherService.java:445)
> ~[shiro-core-1.2.3.jar:1.2.3]
> [java] at
> org.apache.shiro.crypto.JcaCipherService.decrypt(JcaCipherService.java:390)
> ~[shiro-core-1.2.3.jar:1.2.3]
> [java] at
> org.apache.shiro.crypto.JcaCipherService.decrypt(JcaCipherService.java:382)
> ~[shiro-core-1.2.3.jar:1.2.3]
> [java] at
> org.ofbiz.entity.util.EntityCrypto$ShiroStorageHandler.decryptValue(EntityCrypto.java:282)
> ~[ofbiz-entity.jar:?]
> [java] at
> org.ofbiz.entity.util.EntityCrypto.doDecrypt(EntityCrypto.java:147)
> ~[ofbiz-entity.jar:?]
> [java] at
> org.ofbiz.entity.util.EntityCrypto.decrypt(EntityCrypto.java:126)
> ~[ofbiz-entity.jar:?]
> [java] at
> org.ofbiz.webapp.control.LoginWorker.login(LoginWorker.java:389)
> ~[ofbiz-webapp.jar:?]
> [java] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> ~[?:1.8.0_60]
> [java] at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> ~[?:1.8.0_60]
> [java] at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> ~[?:1.8.0_60]
> [java] at java.lang.reflect.Method.invoke(Method.java:497)
> ~[?:1.8.0_60]
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
