portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Sean Taylor (JIRA)" <jetspeed-...@portals.apache.org>
Subject [jira] [Resolved] (JS2-1308) Disabled Password is never checked and user can log in
Date Sat, 20 Dec 2014 01:38:13 GMT

     [ https://issues.apache.org/jira/browse/JS2-1308?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

David Sean Taylor resolved JS2-1308.
------------------------------------
    Resolution: Fixed

> Disabled Password is never checked and user can log in
> ------------------------------------------------------
>
>                 Key: JS2-1308
>                 URL: https://issues.apache.org/jira/browse/JS2-1308
>             Project: Jetspeed 2
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 2.2.3, 2.3.0
>            Reporter: David Sean Taylor
>            Assignee: David Sean Taylor
>             Fix For: 2.2.3, 2.3.0
>
>
> in our portal a new created user has to confirm it's password via email.
> So we set the password to NOT enabled after user creation:
>   User user = userManager.getUser(userName);
>   PasswordCredential pwc = userManager.getPasswordCredential(user);
>   pwc.setEnabled(false);
>   userManager.storePasswordCredential(pwc);
> But the user can immediately log in, although the password is disabled.
> I verified this in the database  (security_credential.IS_ENABLED = 0).
> The bug seems to be in the
> UserPasswordCredentialManagerImpl.getAuthenticatedPasswordCredential
> where isEnabled() is never checked !



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org


Mime
View raw message