portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 6862] New: - Admin resetting password when encryption is turned on
Date Mon, 04 Mar 2002 22:17:30 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6862>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6862

Admin resetting password when encryption is turned on

           Summary: Admin resetting password when encryption is turned on
           Product: Jetspeed
           Version: 1.3a3-dev / CVS
          Platform: PC
        OS/Version: Windows NT/2K
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: Security
        AssignedTo: jetspeed-dev@jakarta.apache.org
        ReportedBy: mark_orciuch@ngsltd.com


If password encryption feature is turned on 
(services.SecurityService.secure.passwords=true in tr.props) and password is 
reset by the administrator via user-form.vm, the password is saved in database 
unencrypted. Need to modify UserUpdateAction to do something like:

user.setPassword(TurbineSecurity.encryptPassword(user.getPassword()))

Or need to encrypt inside of JetspeedSecurity.saveUser.

I'm few months behind on Jetspeed source code so I can' provide a patch right 
now and it should be a simple one line change (I did verify that current 
Jetspeed works the same way). If patch is required, I can get one together in 
few weeks :)

--
To unsubscribe, e-mail:   <mailto:jetspeed-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:jetspeed-dev-help@jakarta.apache.org>


Mime
View raw message