[
https://issues.apache.org/jira/browse/JS2-1308?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
David Sean Taylor updated JS2-1308:
-----------------------------------
Summary: Disabled Password is never checked and user can log in (was: New
User Enabled is Never Checked)
> Disabled Password is never checked and user can log in
> ------------------------------------------------------
>
> Key: JS2-1308
> URL: https://issues.apache.org/jira/browse/JS2-1308
> Project: Jetspeed 2
> Issue Type: Bug
> Components: Security
> Affects Versions: 2.2.3, 2.3.0
> Reporter: David Sean Taylor
> Assignee: David Sean Taylor
> Fix For: 2.2.3, 2.3.0
>
>
> in our portal a new created user has to confirm it's password via email.
> So we set the password to NOT enabled after user creation:
> User user = userManager.getUser(userName);
> PasswordCredential pwc = userManager.getPasswordCredential(user);
> pwc.setEnabled(false);
> userManager.storePasswordCredential(pwc);
> But the user can immediately log in, although the password is disabled.
> I verified this in the database (security_credential.IS_ENABLED = 0).
> The bug seems to be in the
> UserPasswordCredentialManagerImpl.getAuthenticatedPasswordCredential
> where isEnabled() is never checked !
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
