Uploaded image for project: 'Jetspeed 2'
  1. Jetspeed 2
  2. JS2-1308

Disabled Password is never checked and user can log in

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.2.3, 2.3.0
    • Fix Version/s: 2.2.3, 2.3.0
    • Component/s: Security
    • Labels:
      None

      Description

      in our portal a new created user has to confirm it's password via email.
      So we set the password to NOT enabled after user creation:

      User user = userManager.getUser(userName);
      PasswordCredential pwc = userManager.getPasswordCredential(user);
      pwc.setEnabled(false);
      userManager.storePasswordCredential(pwc);

      But the user can immediately log in, although the password is disabled.
      I verified this in the database (security_credential.IS_ENABLED = 0).

      The bug seems to be in the
      UserPasswordCredentialManagerImpl.getAuthenticatedPasswordCredential
      where isEnabled() is never checked !

        Attachments

          Activity

            People

            • Assignee:
              taylor David Sean Taylor
              Reporter:
              taylor David Sean Taylor
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Due:
                Created:
                Updated:
                Resolved: