Announcement Announcement Module
Collapse
No announcement yet.
change password with dao not being refreshed Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • change password with dao not being refreshed

    Hi all, I am using acegi for security with spring.

    Authentication works fine with:

    Code:
    CustomAcegiAuthenticationDao implements AuthenticationDao
    On our service tier we have a method which works fine changing the password against hibernate propperly.

    Code:
    public void changePassword(String password)
    {
       AuthenticatedUser authenticatedUser = currentUserProvider.getCurrentUser();
       userDAO.setPassword(new Long(authenticatedUser.getUserId()), password);
    }
    The current user provider returns an instance of a class extending acegi user (with additional properties) from the context.

    Code:
    public class AcegiCurrentUser extends User
    Everything works fine, but after changing the pass the former pass keeps being ok.

    We are also using ehcache, thing is I cannot see how should we request an update on this AcegiCurrentUser for the cache to be refreshed.

    Thanks, any help is appreciated

  • #2
    Your change password controller must do three things:

    1. Change the password in the backend DB
    2. Call UserCache.removeUserFromCache()
    3. Update the local ContextHolder so the Authentication contains the new password

    All three steps are needed so that next request the new password is used.[/list]

    Comment


    • #3
      thanks

      Thanks a lot it finaly turned into something like this

      Code:
          public void refreshPassword(String password)
          {
      	    AcegiCurrentUser user;
      	    SecureContext secureContext = SecureContextUtils.getSecureContext();
      	    Authentication authentication = secureContext.getAuthentication();
      
      	    user= (AcegiCurrentUser) authentication.getPrincipal();
      	    String username= user.getUsername();
      
      	    if (userCache != null)
      		    userCache.removeUserFromCache(username);
      
      		SecureContextImpl newSecureContext= new SecureContextImpl();
      	    newSecureContext.setAuthentication(new UsernamePasswordAuthenticationToken(username, password));
      	    ContextHolder.setContext(newSecureContext);
      
          }
      We'll maybe rethink where to place things

      Comment


      • #4
        All,

        I've tried the approach listed above to update username and password, but I get a NullPointerException error. I'm using acegi 0.7, spring 1.1, struts 1.1, and hibernate 2.1.

        First, I update the database via hibernate. This piece works fine. Next, I run the following code:


        Code:
                final SecureContextImpl newContext = new SecureContextImpl();
                newContext.setAuthentication(new UsernamePasswordAuthenticationToken(username, pform.getString("password")));
                ContextHolder.setContext(newContext);
        Again, no exceptions and I'm forwarded to the thank you page. So far so good, but if I click any page the uses acegi custom tags, I get the following:

        Code:
        java.lang.NullPointerException
        	java.util.Arrays$ArrayList.<init>&#40;Arrays.java&#58;2342&#41;
        	java.util.Arrays.asList&#40;Arrays.java&#58;2328&#41;
        	net.sf.acegisecurity.taglibs.authz.AuthorizeTag.getPrincipalAuthorities&#40;AuthorizeTag.java&#58;132&#41;
        	net.sf.acegisecurity.taglibs.authz.AuthorizeTag.doStartTag&#40;AuthorizeTag.java&#58;78&#41;
        	org.apache.jsp.index_jsp._jspx_meth_authz_authorize_0&#40;index_jsp.java&#58;292&#41;
        	org.apache.jsp.index_jsp._jspService&#40;index_jsp.java&#58;140&#41;
        	org.apache.jasper.runtime.HttpJspBase.service&#40;HttpJspBase.java&#58;94&#41;
        	javax.servlet.http.HttpServlet.service&#40;HttpServlet.java&#58;802&#41;
        	org.apache.jasper.servlet.JspServletWrapper.service&#40;JspServletWrapper.java&#58;324&#41;
        	org.apache.jasper.servlet.JspServlet.serviceJspFile&#40;JspServlet.java&#58;292&#41;
        	org.apache.jasper.servlet.JspServlet.service&#40;JspServlet.java&#58;236&#41;
        	javax.servlet.http.HttpServlet.service&#40;HttpServlet.java&#58;802&#41;
        	net.sf.acegisecurity.intercept.web.FilterSecurityInterceptor.invoke&#40;FilterSecurityInterceptor.java&#58;70&#41;
        	net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter.doFilter&#40;SecurityEnforcementFilter.java&#58;169&#41;
        	net.sf.acegisecurity.util.FilterToBeanProxy.doFilter&#40;FilterToBeanProxy.java&#58;105&#41;
        	net.sf.acegisecurity.ui.AbstractIntegrationFilter.doFilter&#40;AbstractIntegrationFilter.java&#58;170&#41;
        	net.sf.acegisecurity.util.FilterToBeanProxy.doFilter&#40;FilterToBeanProxy.java&#58;105&#41;
        	net.sf.acegisecurity.ui.AbstractProcessingFilter.doFilter&#40;AbstractProcessingFilter.java&#58;333&#41;
        	net.sf.acegisecurity.util.FilterToBeanProxy.doFilter&#40;FilterToBeanProxy.java&#58;105&#41;
        Is there something that I'm missing? When I don't modify the username/password, the application works fine. Any help would be appreciated.

        Thanks in advance

        Comment


        • #5
          Maybe you could use your AuthenticationProvider to authenticate your updated Authentication and store that authenticated instance in your Context.

          Hope that helps,
          Andreas

          Comment


          • #6
            Looks to me like you're updating ContextHolder with a new Authentication that doesn't contain any GrantedAuthority[] in a Controller, and then in the corresponding View you are getting a NPE because the View presumably is trying to query the Authentication.getAuthorities(). As Andres suggested, use AuthenticationManager to properly authenticate the new Authentication request token, and as such it will have the necessary GrantedAuthority[]s. Don't forget to clear the UserCache as per my earlier post.

            Comment


            • #7
              Code Tweak

              Regarding this golden nugget:

              Code:
                      final SecureContextImpl newContext = new SecureContextImpl();
                      newContext.setAuthentication(new UsernamePasswordAuthenticationToken(username, pform.getString("password")));
                      ContextHolder.setContext(newContext);
              It seems that the UsernamePasswordAuthentication constructor expects a Principal and some Credentials (http://acegisecurity.sourceforge.net...a.lang.Object)). It is common to use a userObject as the prinicpal, which leads me to believe that the following is more appropriate (notice to usage of the userObject):

              Code:
                      final SecureContextImpl newContext = new SecureContextImpl();
                      newContext.setAuthentication(new UsernamePasswordAuthenticationToken(userObject, userObject.getPassword()));
                      ContextHolder.setContext(newContext);
              Depending on your implementation of course.

              Comment

              Working...
              X