directory-fortress mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Pike <>
Subject Re: User Password Field
Date Thu, 21 Apr 2016 19:18:07 GMT
Any objection if I modify the code to allow not setting the user password field via a property?
Something like


----- Original Message -----
From: "Shawn McKinney" <>
Sent: Thursday, April 14, 2016 9:12:08 AM
Subject: Re: User Password Field

> On Apr 14, 2016, at 7:46 AM, Chris Pike <> wrote:
> When creating a user using the fortress API, a userPassword field is created, even though
I'm not specifying one for the user. What value is being put here? Is there a way to disable
it's creation?

Currently it is hard-coded to place an empty string there if not otherwise set by caller.

User create( User entity ) throws CreateException

  // guard against npe
  myEntry.add( SchemaConstants.USER_PASSWORD_AT, ArrayUtils.isNotEmpty( entity.getPassword()
) ? new
      String( entity.getPassword() ) : new String( new char[] {} ) );

When authenticate or createSession (w/ trusted == false) are called with a null or empty password
a SecurityException is thrown which means authentication will always fail unless the password
field is set.

cannot call createSession w/ empty password (unless trusted):

    Session createSession( User user, boolean trusted ) throws SecurityException
        Session session;
        if ( trusted )
            // Create the impl session if the user authentication succeeds:
            VUtil.assertNotNullOrEmpty( user.getPassword(), GlobalErrIds.USER_PW_NULL, CLS_NM
+ ".createSession" );
            session = createSession( user );

cannot call authenticate with empty password:

    public Session authenticate( String userId, char[] password )
        throws SecurityException
        String methodName = "authenticate";
        VUtil.assertNotNullOrEmpty( userId, GlobalErrIds.USER_ID_NULL, getFullMethodName(
CLS_NM, methodName ) );
        VUtil.assertNotNullOrEmpty( password, GlobalErrIds.USER_PW_NULL, getFullMethodName(
CLS_NM, methodName ) );


View raw message