Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-145129

Current encrypted password comparison in UserLocalServiceImpl does not work as expected



      This incorrect encryption (and so the comparison) is causing trouble in some ocassions. This is an example:

      • A user coming from LDAP, whose LDAP's object is being modified frequently for different reasons (so its modifyTimestamp attribute changes) is going to be imported.
      • This user logs in, so it is imported. passwordModifiedDate has a value and session's creation date too.
      • The user tries to change its password. During the internal process the user is authenticated against the current entered password. So it is checked (and incorrectly updated!):
        • Since the newly encrypted one does not match the 'old' one, it is managed as a new one, so the passwordModifiedDate is set to the modifyTimestamp value (_newer, because as we indicated it changes)._
      • At this point, the password's date is newer than the session's, so the users is logged out (and an error occurs).

      We need to take into account the current encrypted password to encrypt the new one and make _isPasswordUnchanged method work properly -> in this case, produce a true value since they are equals.

      Note for QA: please run the attached groovy script to test the solution.

      Expected result: password modified date before and after are equals.

      Current result: password modified dates are not equals before and after. An error occurs.


        Issue Links



              marcell.weller Marcell Weller (Inactive)
              cristina.rodriguez Cristina Rodriguez
              Antonio Ortega Antonio Ortega
              Cristina Rodriguez Cristina Rodriguez
              0 Vote for this issue
              0 Start watching this issue


                1 year, 20 weeks, 1 day ago


                  Version Package
         CE GA8
                  7.4.13 DXP U4
         CE GA9