• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Changing email address when using SSO

 
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
When hiding the password field for non-admins (password is a useless information on the forum when using SSO...) ... the code fails to allow email address modifications, as the current password never will match the u.getPassword() ... I guess.

At least currently the email address never is being updated ... when not being admin. I'll just change it so it will set the email like any other field too...

if (isAdmin || u.getPassword().equals(currentPassword)) {
u.setEmail(SafeHtml.makeSafe(request.getParameter("email")));

String newPassword = request.getParameter("new_password");

if (newPassword != null && newPassword.length() > 0) {
u.setPassword(MD5.crypt(newPassword));
}
}


[originally posted on jforum.net by Sid]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
One minor thing to consider is that the e-mail address is a semi-security field. E.g, if someone get access to your PC they can change it and get lost password notifications, etc. This bit of code looks like it tries to limit e-mail changes to people who know their password.

Perhaps the "right" way to do this would be to have a bit of javascript associated with the e-mail field. If someone wants to change it, they get asked for their password. This is populated in a hidden field and submitted with the form.
[originally posted on jforum.net by monroe]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
There's only one catch on your approach:

The sso password is always the same ;)

Authentication is being done via an URL... this url has ciper and timestamp to make sure there is no illegal attempts. the parameters sent are username , groupid and email ...

So... even if I would pop up the password question, the user would not be able to write it down, as he doesnt know the password that is being used in the forum ;)

The security is done before that already. Via the SSO. If someone hijacks the computer or abuses it, with the passwords being safed in the browser.. then it's the user-fault. But: the "send lost password" wont help any either, as the forum password never will be working for logging onto the actual site ;)
[originally posted on jforum.net by Sid]
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
reply
    Bookmark Topic Watch Topic
  • New Topic