[ChangePassword] Changed query to validate password date
authorJonathan Bueno <jonathan.bueno@openbravo.com>
Wed, 25 Nov 2015 12:50:59 +0100
changeset 28640 a2f2698c2672
parent 28639 632560abfb78
child 28641 cf47b2178ea9
[ChangePassword] Changed query to validate password date
src/org/openbravo/authentication/AuthenticationExpiryPasswordException.java
src/org/openbravo/authentication/basic/DefaultAuthenticationManager.java
src/org/openbravo/base/secureApp/LoginUtils.java
--- a/src/org/openbravo/authentication/AuthenticationExpiryPasswordException.java	Wed Nov 25 10:35:15 2015 +0100
+++ b/src/org/openbravo/authentication/AuthenticationExpiryPasswordException.java	Wed Nov 25 12:50:59 2015 +0100
@@ -15,10 +15,24 @@
 import org.openbravo.base.exception.OBException;
 import org.openbravo.erpCommon.utility.OBError;
 
+/**
+ * 
+ * @author jbu
+ */
 public class AuthenticationExpiryPasswordException extends OBException {
   private static final long serialVersionUID = 1L;
   private OBError error;
 
+  public AuthenticationExpiryPasswordException(String msg) {
+    super(msg);
+    this.error = null;
+  }
+
+  public AuthenticationExpiryPasswordException(String msg, Throwable cause) {
+    super(msg, cause);
+    this.error = null;
+  }
+
   public AuthenticationExpiryPasswordException(String msg, OBError error) {
     super(msg);
     this.error = error;
@@ -27,5 +41,4 @@
   public OBError getOBError() {
     return error;
   }
-
-}
+}
\ No newline at end of file
--- a/src/org/openbravo/authentication/basic/DefaultAuthenticationManager.java	Wed Nov 25 10:35:15 2015 +0100
+++ b/src/org/openbravo/authentication/basic/DefaultAuthenticationManager.java	Wed Nov 25 12:50:59 2015 +0100
@@ -13,6 +13,10 @@
 package org.openbravo.authentication.basic;
 
 import java.io.IOException;
+import java.text.DateFormat;
+import java.text.SimpleDateFormat;
+import java.util.Calendar;
+import java.util.Date;
 
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServlet;
@@ -22,6 +26,7 @@
 import org.apache.commons.lang.StringUtils;
 import org.apache.log4j.Logger;
 import org.openbravo.authentication.AuthenticationException;
+import org.openbravo.authentication.AuthenticationExpiryPasswordException;
 import org.openbravo.authentication.AuthenticationManager;
 import org.openbravo.base.HttpBaseUtils;
 import org.openbravo.base.secureApp.LoginUtils;
@@ -93,6 +98,24 @@
       // throw error message will be caught by LoginHandler
       throw new AuthenticationException("IDENTIFICATION_FAILURE_TITLE", errorMsg);
     }
+    // Check if password valid date is reached
+    Date dateUPD = LoginUtils.getUpdatePasswordDate(conn, strUser, strPass);
+
+    if (dateUPD != null) {
+      DateFormat df = new SimpleDateFormat("yyyy-MM-dd");
+
+      // Checks if password
+      Calendar currentDate = Calendar.getInstance();
+      Date today = new Date(currentDate.getTimeInMillis());
+      if (dateUPD.compareTo(today) <= 0) {
+        log4j.debug("Failed user/password. Username: " + strUser + " - Session ID:" + sessionId);
+        OBError errorMsg = new OBError();
+        errorMsg.setType("Error");
+        errorMsg.setTitle("IDENTIFICATION_FAILURE_TITLE");
+        errorMsg.setMessage("IDENTIFICATION_FAILURE_MSG");
+        throw new AuthenticationExpiryPasswordException("IDENTIFICATION_FAILURE_TITLE", errorMsg);
+      }
+    }
 
     // Using the Servlet API instead of vars.setSessionValue to avoid breaking code
     // vars.setSessionValue always transform the key to upper-case
--- a/src/org/openbravo/base/secureApp/LoginUtils.java	Wed Nov 25 10:35:15 2015 +0100
+++ b/src/org/openbravo/base/secureApp/LoginUtils.java	Wed Nov 25 12:50:59 2015 +0100
@@ -12,9 +12,12 @@
 package org.openbravo.base.secureApp;
 
 import java.io.File;
+import java.util.Calendar;
+import java.util.Date;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.concurrent.TimeUnit;
 
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
@@ -22,10 +25,12 @@
 import javax.xml.parsers.DocumentBuilderFactory;
 
 import org.apache.log4j.Logger;
+import org.hibernate.criterion.Restrictions;
 import org.openbravo.base.HttpBaseUtils;
 import org.openbravo.base.exception.OBException;
 import org.openbravo.base.exception.OBSecurityException;
 import org.openbravo.dal.core.OBContext;
+import org.openbravo.dal.service.OBCriteria;
 import org.openbravo.dal.service.OBDal;
 import org.openbravo.dal.service.OBQuery;
 import org.openbravo.database.ConnectionProvider;
@@ -34,6 +39,7 @@
 import org.openbravo.erpCommon.utility.DimensionDisplayUtility;
 import org.openbravo.erpCommon.utility.Utility;
 import org.openbravo.model.ad.access.RoleOrganization;
+import org.openbravo.model.ad.access.User;
 import org.openbravo.model.ad.domain.Preference;
 import org.openbravo.model.ad.system.Client;
 import org.openbravo.service.db.DalConnectionProvider;
@@ -89,6 +95,38 @@
     }
   }
 
+  public static Date getUpdatePasswordDate(ConnectionProvider connectionProvider, String login,
+      String unHashedPassword) {
+    try {
+      // Get the Update password date
+      UserLock lockSettings = new UserLock(login);
+      lockSettings.delayResponse();
+      if (lockSettings.isLockedUser()) {
+        return null;
+      }
+      Date total;
+
+      final OBCriteria<User> obc = OBDal.getInstance().createCriteria(User.class);
+      obc.add(Restrictions.like("username", login));
+
+      final List<User> listUser = obc.list();
+      User userOB = listUser.get(0);
+      Date lastUpdateDate = userOB.getUpdatePasswordDate();
+      Long validityDays = userOB.getClient().getValiddays();
+      if (validityDays != 0) {
+        Calendar currentDate = Calendar.getInstance();
+        currentDate
+            .setTimeInMillis(lastUpdateDate.getTime() + TimeUnit.DAYS.toMillis(validityDays));
+        total = new Date(currentDate.getTimeInMillis());
+        return total;
+      } else {
+        return null;
+      }
+    } catch (final Exception e) {
+      throw new OBException(e);
+    }
+  }
+
   /**
    * Similar to {@link LoginUtils#getValidUserId(ConnectionProvider, String, String)} but not
    * blocking user accounts.