portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From a..@apache.org
Subject cvs commit: jakarta-jetspeed-2/components/security/src/java/org/apache/jetspeed/security/spi/impl DefaultCredentialHandler.java
Date Thu, 03 Feb 2005 01:26:12 GMT
ate         2005/02/02 17:26:12

  Modified:    components/security/src/java/org/apache/jetspeed/security/spi/impl
                        DefaultCredentialHandler.java
  Log:
  Throw more specialized SecurityExceptions to allow easier localization and don't allow setting
updateRequired to false if the current password is invalid.
  
  Revision  Changes    Path
  1.13      +24 -10    jakarta-jetspeed-2/components/security/src/java/org/apache/jetspeed/security/spi/impl/DefaultCredentialHandler.java
  
  Index: DefaultCredentialHandler.java
  ===================================================================
  RCS file: /home/cvs/jakarta-jetspeed-2/components/security/src/java/org/apache/jetspeed/security/spi/impl/DefaultCredentialHandler.java,v
  retrieving revision 1.12
  retrieving revision 1.13
  diff -u -r1.12 -r1.13
  --- DefaultCredentialHandler.java	4 Dec 2004 21:08:18 -0000	1.12
  +++ DefaultCredentialHandler.java	3 Feb 2005 01:26:12 -0000	1.13
  @@ -24,6 +24,9 @@
   
   import org.apache.commons.logging.Log;
   import org.apache.commons.logging.LogFactory;
  +import org.apache.jetspeed.security.InvalidNewPasswordException;
  +import org.apache.jetspeed.security.InvalidPasswordException;
  +import org.apache.jetspeed.security.PasswordAlreadyUsedException;
   import org.apache.jetspeed.security.SecurityException;
   import org.apache.jetspeed.security.om.InternalCredential;
   import org.apache.jetspeed.security.om.InternalUserPrincipal;
  @@ -145,29 +148,35 @@
               credentials = new ArrayList();
           }
   
  +        InternalCredential credential = getPasswordCredential(internalUser, userName );
  +        
           if (null != oldPassword)
           {
  -            if ( pcProvider.getValidator() != null )
  -            {
  -                pcProvider.getValidator().validate(oldPassword);
  -            }
  -            if ( pcProvider.getEncoder() != null )
  +            if ( credential != null && 
  +                    credential.getValue() != null && 
  +                    credential.isEncoded() && 
  +                    pcProvider.getEncoder() != null )
               {
                   oldPassword = pcProvider.getEncoder().encode(userName, oldPassword);
               }
           }
           
  -        InternalCredential credential = getPasswordCredential(internalUser, userName );
  -        
           if (oldPassword != null && (credential == null || credential.getValue()
== null || !credential.getValue().equals(oldPassword)))
           {
               // supplied PasswordCredential not defined for this user
  -            throw new SecurityException(SecurityException.INVALID_PASSWORD);
  +            throw new InvalidPasswordException();
           }
           
           if ( pcProvider.getValidator() != null )
           {
  -            pcProvider.getValidator().validate(newPassword);
  +            try
  +            {
  +                pcProvider.getValidator().validate(newPassword);
  +            }
  +            catch (InvalidPasswordException ipe)
  +            {
  +                throw new InvalidNewPasswordException();
  +            }
           }
           
           boolean encoded = false;
  @@ -196,7 +205,7 @@
           }
           else if ( oldPassword.equals(newPassword) )
           {
  -            throw new SecurityException(SecurityException.INVALID_PASSWORD);
  +            throw new PasswordAlreadyUsedException();
           }
   
           if ( ipcInterceptor != null )
  @@ -256,6 +265,11 @@
               InternalCredential credential = getPasswordCredential(internalUser, userName
);
               if ( credential != null && !credential.isExpired() && credential.isUpdateRequired()
!= updateRequired )
               {
  +                // only allow setting updateRequired off if (non-Encoded) password is valid
  +                if ( !updateRequired && !credential.isEncoded() && pcProvider.getValidator()
!= null )
  +                {
  +                    pcProvider.getValidator().validate(credential.getValue());
  +                }
                   credential.setUpdateRequired(updateRequired);
                   long time = new Date().getTime();
                   credential.setModifiedDate(new Timestamp(time));
  
  
  

---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: jetspeed-dev-help@jakarta.apache.org


Mime
View raw message