Announcement Announcement Module
Collapse
No announcement yet.
Programmatically login with username and SHA encrypted password Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Programmatically login with username and SHA encrypted password

    Hi all,

    I'm currently working on AppFuse 2.0 application and trying to add email activation to the user registration process. After the activation email is sent and user clicks on the activation link, I retrieve the activated user and programmatically log the user in. Here is the code I use:

    Code:
          
    // log user in automatically
    Authentication auth = new UsernamePasswordAuthenticationToken(user.getUsername(), user.getPassword());
            try {
                ApplicationContext ctx = 
                    WebApplicationContextUtils.getWebApplicationContext(getSession().getServletContext());
                if (ctx != null) {
                    ProviderManager authenticationManager = (ProviderManager) ctx.getBean("authenticationManager");
                    SecurityContextHolder.getContext().setAuthentication(authenticationManager.doAuthentication(auth));
                }
            } catch (NoSuchBeanDefinitionException n) {
                // ignore, should only happen when testing
            }
    The problem is that user.getPassword() return SHA encrypted password so when I try to log the user in, I get "Bad credentials" exception. I've searched the forum but couldn't find the answer. Here is my Acegi configuration:
    Code:
        <bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">
            <property name="providers">
                <list>
                    <ref local="daoAuthenticationProvider"/>
                    <ref local="anonymousAuthenticationProvider"/>
                    <ref local="rememberMeAuthenticationProvider"/>
                </list>
            </property>
        </bean>
    
        <bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
             <property name="userDetailsService" ref="userDao"/>
             <property name="passwordEncoder" ref="passwordEncoder"/>
        </bean>
    
        <bean id="anonymousAuthenticationProvider" class="org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider">
            <property name="key" value="anonymous"/>
        </bean>
    
        <bean id="rememberMeAuthenticationProvider" class="org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider">
            <property name="key" value="appfuseRocks"/>
        </bean>
    
        <!-- This bean definition must be available to ApplicationContext.getBean() so StartupListener
             can look for it and detect if password encryption is turned on or not -->
        <bean id="passwordEncoder" class="org.acegisecurity.providers.encoding.ShaPasswordEncoder"/>
    Thanks in advance.

  • #2
    If you want to log them in programmatically, then just set a valid authentication object in the security context directly (i.e. create one yourself rather than calling the authentication manager to obtain it). You can't obtain the user's password since obviously it's hashed and only they know it and there is little point in authenticating with a password you have just loaded from the database anyway. It won't make things more secure since it will always be correct.

    Obviously you will need to validate whatever is submitted with the activation link in some way, but I'm assuming you are already doing that.

    Comment

    Working...
    X