David Sean Taylor created JS2-1308:
--------------------------------------
Summary: New User Enabled is Never Checked
Key: JS2-1308
URL: https://issues.apache.org/jira/browse/JS2-1308
Project: Jetspeed 2
Issue Type: Bug
Components: Security
Affects Versions: 2.2.3, 2.3.0
Reporter: David Sean Taylor
Assignee: David Sean Taylor
Fix For: 2.2.3, 2.3.0
in our portal a new created user has to confirm it's password via email.
So we set the password to NOT enabled after user creation:
User user = userManager.getUser(userName);
PasswordCredential pwc = userManager.getPasswordCredential(user);
pwc.setEnabled(false);
userManager.storePasswordCredential(pwc);
But the user can immediately log in, although the password is disabled.
I verified this in the database (security_credential.IS_ENABLED = 0).
The bug seems to be in the
UserPasswordCredentialManagerImpl.getAuthenticatedPasswordCredential
where isEnabled() is never checked !
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
