directory-fortress mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shawn McKinney <smckin...@apache.org>
Subject Re: User Password Field
Date Thu, 14 Apr 2016 13:12:08 GMT

> On Apr 14, 2016, at 7:46 AM, Chris Pike <clp207@psu.edu> wrote:
> 
> When creating a user using the fortress API, a userPassword field is created, even though
I'm not specifying one for the user. What value is being put here? Is there a way to disable
it's creation?

Currently it is hard-coded to place an empty string there if not otherwise set by caller.
 

User create( User entity ) throws CreateException
{
...  

  // guard against npe
  myEntry.add( SchemaConstants.USER_PASSWORD_AT, ArrayUtils.isNotEmpty( entity.getPassword()
) ? new
      String( entity.getPassword() ) : new String( new char[] {} ) );

When authenticate or createSession (w/ trusted == false) are called with a null or empty password
a SecurityException is thrown which means authentication will always fail unless the password
field is set.

cannot call createSession w/ empty password (unless trusted):

    Session createSession( User user, boolean trusted ) throws SecurityException
    {
        Session session;
        if ( trusted )
        {
          ...
        }
        else
        {
            // Create the impl session if the user authentication succeeds:
            VUtil.assertNotNullOrEmpty( user.getPassword(), GlobalErrIds.USER_PW_NULL, CLS_NM
+ ".createSession" );
            session = createSession( user );


cannot call authenticate with empty password:

    @Override
    public Session authenticate( String userId, char[] password )
        throws SecurityException
    {
        String methodName = "authenticate";
        VUtil.assertNotNullOrEmpty( userId, GlobalErrIds.USER_ID_NULL, getFullMethodName(
CLS_NM, methodName ) );
        VUtil.assertNotNullOrEmpty( password, GlobalErrIds.USER_PW_NULL, getFullMethodName(
CLS_NM, methodName ) );


Shawn

Mime
View raw message