Bug in AuthenticationManagerBean -> authenticate method

tarek.ghonamy · December 23, 2018, 8:00am

Hello Team,

I believe there is a bug in the AuthenticationManagerBean -> authenticate(Credentials credentials) method, if the credentials used is of type LoginPasswordCredentials the authenticate method always throws a LoginException, note that the login(Credentials credentials) in the same bean works fine though.you can reproduce the bug by setting cuba.web.rememberMeEnabled = false and override the doLogin(Credentials credentials) method in the login page (inject the AuthenticationService) to be as following:

    protected void doLogin(Credentials credentials) throws LoginException {
        if (credentials instanceof AbstractClientCredentials) {
            ((AbstractClientCredentials) credentials).setOverrideLocale(localesSelect.isVisible());
        }
        authenticationService.authenticate(credentials);
        connection.login(credentials);
    }

artamonov · December 25, 2018, 11:07am

Hi,

You cannot pass plain password to the middleware. See com.haulmont.cuba.web.security.providers.LoginPasswordLoginProvider:

    @Nullable
    @Override
    public AuthenticationDetails login(Credentials credentials) throws LoginException {
        LoginPasswordCredentials loginPasswordCredentials = (LoginPasswordCredentials) credentials;

        if (loginPasswordCredentials.getPassword() != null) {
            String hashedPassword = passwordEncryption.getPlainHash(loginPasswordCredentials.getPassword());
            loginPasswordCredentials.setPassword(hashedPassword);
        }

        return loginMiddleware(loginPasswordCredentials);
    }

All passwords must be prehashed in order to be sent to the middleware.

krivopustov · December 26, 2018, 6:11am

Please note that this has been changed since framework 7.0 - see cuba.checkPasswordOnClient.