change password with dao not being refreshed

[tractis_rectis]

Hi all, I am using acegi for security with spring.

Authentication works fine with:

Code:

CustomAcegiAuthenticationDao implements AuthenticationDao

On our service tier we have a method which works fine changing the password against hibernate propperly.

Code:

public void changePassword(String password)
{
   AuthenticatedUser authenticatedUser = currentUserProvider.getCurrentUser();
   userDAO.setPassword(new Long(authenticatedUser.getUserId()), password);
}

The current user provider returns an instance of a class extending acegi user (with additional properties) from the context.

Code:

public class AcegiCurrentUser extends User

Everything works fine, but after changing the pass the former pass keeps being ok.

We are also using ehcache, thing is I cannot see how should we request an update on this AcegiCurrentUser for the cache to be refreshed.

Thanks, any help is appreciated

[Ben Alex]

Your change password controller must do three things:

1. Change the password in the backend DB
2. Call UserCache.removeUserFromCache()
3. Update the local ContextHolder so the Authentication contains the new password

All three steps are needed so that next request the new password is used.[/list]

[tractis_rectis]

Thanks a lot it finaly turned into something like this

Code:

    public void refreshPassword(String password)
    {
	    AcegiCurrentUser user;
	    SecureContext secureContext = SecureContextUtils.getSecureContext();
	    Authentication authentication = secureContext.getAuthentication();

	    user= (AcegiCurrentUser) authentication.getPrincipal();
	    String username= user.getUsername();

	    if (userCache != null)
		    userCache.removeUserFromCache(username);

		SecureContextImpl newSecureContext= new SecureContextImpl();
	    newSecureContext.setAuthentication(new UsernamePasswordAuthenticationToken(username, password));
	    ContextHolder.setContext(newSecureContext);

    }

We'll maybe rethink where to place things

[damon311]

All,

I've tried the approach listed above to update username and password, but I get a NullPointerException error. I'm using acegi 0.7, spring 1.1, struts 1.1, and hibernate 2.1.

First, I update the database via hibernate. This piece works fine. Next, I run the following code:

Code:

        final SecureContextImpl newContext = new SecureContextImpl();
        newContext.setAuthentication(new UsernamePasswordAuthenticationToken(username, pform.getString("password")));
        ContextHolder.setContext(newContext);

Again, no exceptions and I'm forwarded to the thank you page. So far so good, but if I click any page the uses acegi custom tags, I get the following:

Code:

java.lang.NullPointerException
	java.util.Arrays$ArrayList.<init>&#40;Arrays.java&#58;2342&#41;
	java.util.Arrays.asList&#40;Arrays.java&#58;2328&#41;
	net.sf.acegisecurity.taglibs.authz.AuthorizeTag.getPrincipalAuthorities&#40;AuthorizeTag.java&#58;132&#41;
	net.sf.acegisecurity.taglibs.authz.AuthorizeTag.doStartTag&#40;AuthorizeTag.java&#58;78&#41;
	org.apache.jsp.index_jsp._jspx_meth_authz_authorize_0&#40;index_jsp.java&#58;292&#41;
	org.apache.jsp.index_jsp._jspService&#40;index_jsp.java&#58;140&#41;
	org.apache.jasper.runtime.HttpJspBase.service&#40;HttpJspBase.java&#58;94&#41;
	javax.servlet.http.HttpServlet.service&#40;HttpServlet.java&#58;802&#41;
	org.apache.jasper.servlet.JspServletWrapper.service&#40;JspServletWrapper.java&#58;324&#41;
	org.apache.jasper.servlet.JspServlet.serviceJspFile&#40;JspServlet.java&#58;292&#41;
	org.apache.jasper.servlet.JspServlet.service&#40;JspServlet.java&#58;236&#41;
	javax.servlet.http.HttpServlet.service&#40;HttpServlet.java&#58;802&#41;
	net.sf.acegisecurity.intercept.web.FilterSecurityInterceptor.invoke&#40;FilterSecurityInterceptor.java&#58;70&#41;
	net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter.doFilter&#40;SecurityEnforcementFilter.java&#58;169&#41;
	net.sf.acegisecurity.util.FilterToBeanProxy.doFilter&#40;FilterToBeanProxy.java&#58;105&#41;
	net.sf.acegisecurity.ui.AbstractIntegrationFilter.doFilter&#40;AbstractIntegrationFilter.java&#58;170&#41;
	net.sf.acegisecurity.util.FilterToBeanProxy.doFilter&#40;FilterToBeanProxy.java&#58;105&#41;
	net.sf.acegisecurity.ui.AbstractProcessingFilter.doFilter&#40;AbstractProcessingFilter.java&#58;333&#41;
	net.sf.acegisecurity.util.FilterToBeanProxy.doFilter&#40;FilterToBeanProxy.java&#58;105&#41;

Is there something that I'm missing? When I don't modify the username/password, the application works fine. Any help would be appreciated.

Thanks in advance

[Andreas Senft]

Maybe you could use your AuthenticationProvider to authenticate your updated Authentication and store that authenticated instance in your Context.

Hope that helps,
Andreas

[Ben Alex]

Looks to me like you're updating ContextHolder with a new Authentication that doesn't contain any GrantedAuthority[] in a Controller, and then in the corresponding View you are getting a NPE because the View presumably is trying to query the Authentication.getAuthorities(). As Andres suggested, use AuthenticationManager to properly authenticate the new Authentication request token, and as such it will have the necessary GrantedAuthority[]s. Don't forget to clear the UserCache as per my earlier post.

[afleming]

Regarding this golden nugget:

Code:

        final SecureContextImpl newContext = new SecureContextImpl();
        newContext.setAuthentication(new UsernamePasswordAuthenticationToken(username, pform.getString("password")));
        ContextHolder.setContext(newContext);

It seems that the UsernamePasswordAuthentication constructor expects a Principal and some Credentials (http://acegisecurity.sourceforge.net...a.lang.Object)). It is common to use a userObject as the prinicpal, which leads me to believe that the following is more appropriate (notice to usage of the userObject):

Code:

        final SecureContextImpl newContext = new SecureContextImpl();
        newContext.setAuthentication(new UsernamePasswordAuthenticationToken(userObject, userObject.getPassword()));
        ContextHolder.setContext(newContext);

Depending on your implementation of course.