DB Password Change Logs Me Out!

[davidkennedy]

Hi folks,
I'm having issues when changing the user's password when using Acegi 0.8.3.

When I change the password in the DB I get forwarded to the login page again! I can login using the new password, but that's still Not A Feature.

Okay, so I see the same thing in old posts - I have to authenticate my new username and password and set that in the context ... except this solution keeps throwing BadCredentialExceptions at me. And I've stalled here. Any help gratefully received!

In particular, I'm confused as to why authenticating the old (current) password succeeds, while authenticating the new password fails.

Here's my ChangePasswordController code (I'll be verbose as most of the FAQ style posts are a bit terse to use as examples and this might help someone else):

Code:

        // This controller has the authentication manager, 
        // userDao, and password encoder injected into it.

        final ChangePasswordCommand changePassword =
            (ChangePasswordCommand)command;

        final Authentication authentication = 
            new UsernamePasswordAuthenticationToken(
                changePassword.getUsername(), changePassword.getOldPassword());

        // Check the old password is correct before proceeding
        assert (authenticationManager != null);
        try
        {
            authenticationManager.authenticate(authentication);
        }
        catch(DisabledException e) { ... }
        catch(LockedException e) { ... }
        catch(BadCredentialsException e) { ... }

        final String username = changePassword.getUsername();
        final String plaintextPassword = changePassword.getNewPassword();
        final String encryptedPassword = encryptPassword(plaintextPassword);

        // This is a simple homegrown JDBC dao to edit
        // the users table.
        assert (userDao != null);
        userDao.updatePassword(username, encryptedPassword);
        
        final Authentication newAuthentication = 
            new UsernamePasswordAuthenticationToken(
                username, plaintextPassword);
        try
        {
            authenticationManager.authenticate(authentication);            
        }
        catch(DisabledException e) { ... }
        catch(LockedException e) { ... }
        catch(BadCredentialsException e)
        {
            // I hit this every time...
            logger.error("New password is bad?!",e);
            return new ModelAndView(ExceptionViews.BAD_CREDENTIALS);   
        }
        // I never get here. But I think I'm telling my
        // current session about the DB password change.
        final SecureContext newContext = new SecureContextImpl();
        newContext.setAuthentication(newAuthentication);
        ContextHolder.setContext(newContext);

        // ... setup model etc skipped ... 
        return new ModelAndView(getSuccessView(), model);
}

[davidkennedy]

And for those of you following along at home, the answer is that I am an idiot. (In my defence I do have the cold at the moment....)

Have you ever had a bug which can basically be resolved to you reading the variable name you expect to see and not the one which is actually there? Yes? Well, then you'll understand why I'm trying to authenticate the wrong Authentication object ... I am reauthenticating the old password instead of the new password in my previous post. But because I knew what that section of code did, my eye simple kept reading authentication as newAuthentication.

Apologies if anyone wasted any time on this.