portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Sean Taylor (JIRA)" <jetspeed-...@portals.apache.org>
Subject [jira] [Created] (JS2-1308) New User Enabled is Never Checked
Date Sat, 20 Dec 2014 01:33:13 GMT
David Sean Taylor created JS2-1308:
--------------------------------------

             Summary: New User Enabled is Never Checked
                 Key: JS2-1308
                 URL: https://issues.apache.org/jira/browse/JS2-1308
             Project: Jetspeed 2
          Issue Type: Bug
          Components: Security
    Affects Versions: 2.2.3, 2.3.0
            Reporter: David Sean Taylor
            Assignee: David Sean Taylor
             Fix For: 2.2.3, 2.3.0


in our portal a new created user has to confirm it's password via email.
So we set the password to NOT enabled after user creation:

  User user = userManager.getUser(userName);
  PasswordCredential pwc = userManager.getPasswordCredential(user);
  pwc.setEnabled(false);
  userManager.storePasswordCredential(pwc);

But the user can immediately log in, although the password is disabled.
I verified this in the database  (security_credential.IS_ENABLED = 0).

The bug seems to be in the
UserPasswordCredentialManagerImpl.getAuthenticatedPasswordCredential
where isEnabled() is never checked !



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org


Mime
View raw message