[ChangePassword] Solved security problem, added check to change user password
authorJonathan Bueno <jonathan.bueno@openbravo.com>
Thu, 28 Jan 2016 12:40:57 +0100
changeset 28798 8289713e0e69
parent 28797 99dee8bbab26
child 28799 f62d9ee30060
[ChangePassword] Solved security problem, added check to change user password
src/org/openbravo/authentication/basic/DefaultAuthenticationManager.java
--- a/src/org/openbravo/authentication/basic/DefaultAuthenticationManager.java	Thu Jan 28 10:58:07 2016 +0100
+++ b/src/org/openbravo/authentication/basic/DefaultAuthenticationManager.java	Thu Jan 28 12:40:57 2016 +0100
@@ -110,6 +110,14 @@
 
       throw new AuthenticationException("IDENTIFICATION_FAILURE_TITLE", errorMsg);
     }
+
+    // Using the Servlet API instead of vars.setSessionValue to avoid breaking code
+    // vars.setSessionValue always transform the key to upper-case
+    request.getSession(true).setAttribute("#Authenticated_user", userId);
+
+    vars.setSessionValue("#AD_SESSION_ID", sessionId);
+    vars.setSessionValue("#LogginIn", "Y");
+
     Date lastUpdatePasswordDate = getUpdatePasswordDate(user);
 
     if (lastUpdatePasswordDate != null) {
@@ -124,14 +132,6 @@
 
       }
     }
-
-    // Using the Servlet API instead of vars.setSessionValue to avoid breaking code
-    // vars.setSessionValue always transform the key to upper-case
-    request.getSession(true).setAttribute("#Authenticated_user", userId);
-
-    vars.setSessionValue("#AD_SESSION_ID", sessionId);
-    vars.setSessionValue("#LogginIn", "Y");
-
     if (!StringUtils.isEmpty(strAjax) && StringUtils.isEmpty(userId)) {
       bdErrorAjax(response, "Error", "",
           Utility.messageBD(this.conn, "NotLogged", variables.getLanguage()));