ofbiz-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jaco...@apache.org
Subject svn commit: r739738 - /ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
Date Sun, 01 Feb 2009 11:02:47 GMT
Author: jacopoc
Date: Sun Feb  1 11:02:46 2009
New Revision: 739738

URL: http://svn.apache.org/viewvc?rev=739738&view=rev
Log:
Enhanced checkNewPassword to work like the "userLogin" method when dealing with hashed passwords.

Modified:
    ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java

Modified: ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java?rev=739738&r1=739737&r2=739738&view=diff
==============================================================================
--- ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java (original)
+++ ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java Sun Feb  1
11:02:46 2009
@@ -790,20 +790,33 @@
         String errMsg = null;
 
         if (!ignoreCurrentPassword) {
-            String realPassword = currentPassword;
-
-            if (useEncryption && currentPassword != null) {
-                realPassword = HashCrypt.getDigestHash(currentPassword, getHashType());
+            
+            String encodedPassword = useEncryption ? HashCrypt.getDigestHash(currentPassword,
getHashType()) : currentPassword;
+            String encodedPasswordOldFunnyHexEncode = useEncryption ? HashCrypt.getDigestHashOldFunnyHexEncode(currentPassword,
getHashType()) : currentPassword;
+            String encodedPasswordUsingDbHashType = encodedPassword;
+            
+            String oldPassword = userLogin.getString("currentPassword");
+            if (useEncryption && oldPassword != null && oldPassword.startsWith("{"))
{
+                // get encode according to the type in the database
+                String dbHashType = HashCrypt.getHashTypeFromPrefix(oldPassword);
+                if (dbHashType != null) {
+                    encodedPasswordUsingDbHashType = HashCrypt.getDigestHash(currentPassword,
dbHashType);
+                }
             }
+
             // if the password.accept.encrypted.and.plain property in security is set to
true allow plain or encrypted passwords
-            boolean passwordMatches = currentPassword != null && (realPassword.equals(userLogin.getString("currentPassword"))
||
-                    ("true".equals(UtilProperties.getPropertyValue("security.properties",
"password.accept.encrypted.and.plain")) && currentPassword.equals(userLogin.getString("currentPassword"))));
+            // if this is a system account don't bother checking the passwords
+            boolean passwordMatches = (oldPassword != null &&
+                (HashCrypt.removeHashTypePrefix(encodedPassword).equals(HashCrypt.removeHashTypePrefix(oldPassword))
||
+                        HashCrypt.removeHashTypePrefix(encodedPasswordOldFunnyHexEncode).equals(HashCrypt.removeHashTypePrefix(oldPassword))
||
+                        HashCrypt.removeHashTypePrefix(encodedPasswordUsingDbHashType).equals(HashCrypt.removeHashTypePrefix(oldPassword))
||
+                    ("true".equals(UtilProperties.getPropertyValue("security.properties",
"password.accept.encrypted.and.plain")) && currentPassword.equals(oldPassword))));
 
             if ((currentPassword == null) || (userLogin != null && currentPassword
!= null && !passwordMatches)) {
                 errMsg = UtilProperties.getMessage(resource,"loginservices.old_password_not_correct_reenter",
locale);
                 errorMessageList.add(errMsg);
             }
-            if (currentPassword.equals(newPassword) || realPassword.equals(newPassword))
{
+            if (currentPassword.equals(newPassword) || encodedPassword.equals(newPassword))
{
                 errMsg = UtilProperties.getMessage(resource,"loginservices.new_password_is_equal_to_old_password",
locale);
                 errorMessageList.add(errMsg);
             }



Mime
View raw message