[Minor] Throwing explicit exception system user tries to login

Further enforcing that a system user may not have a password
2013-12-28 10:55:58 +01:00 · 2013-12-28 10:55:58 +01:00 · 5d59a52eeb
parent 3727d3545f
commit 5d59a52eeb
3 changed files with 11 additions and 12 deletions
--- a/config/PrivilegeModel.xml
+++ b/config/PrivilegeModel.xml
@ -18,7 +18,7 @@
 			</Properties>
 		</User>

-		<User userId="2" username="system_admin" password="bb06d5caae150999027a8cb68956564d3ae0f3662aee02eea96253df3dc49bf7">
+		<User userId="2" username="system_admin">
 			<Firstname>System User</Firstname>
 			<Surname>Administrator</Surname>
 			<State>SYSTEM</State>
@ -26,7 +26,6 @@
 			<Roles>
 				<Role>system_admin_privileges</Role>
 			</Roles>
-
 		</User>

 	</Users>
--- a/src/main/java/ch/eitchnet/privilege/handler/DefaultPrivilegeHandler.java
+++ b/src/main/java/ch/eitchnet/privilege/handler/DefaultPrivilegeHandler.java
@ -637,6 +637,13 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
 				throw new AccessDeniedException(msg);
 			}

+			// make sure not a system user - they may not login in
+			if (user.getUserState() == UserState.SYSTEM) {
+				String msg = "User {0} is a system user and may no login!"; //$NON-NLS-1$
+				msg = MessageFormat.format(msg, username);
+				throw new AccessDeniedException(msg);
+			}
+
 			// validate password
 			String pwHash = user.getPassword();
 			if (pwHash == null)
@ -1009,9 +1016,6 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
 	 */
 	private PrivilegeContext getSystemUserPrivilegeContext(String systemUsername) {

-		// we only work with hashed passwords
-		String passwordHash = this.encryptionHandler.convertToHash(systemUsername.getBytes());
-
 		// get user object
 		User user = this.persistenceHandler.getUser(systemUsername);
 		// no user means no authentication
@ -1022,12 +1026,8 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {

 		// validate password
 		String pwHash = user.getPassword();
-		if (pwHash == null) {
-			String msg = MessageFormat.format("System user {0} has no password and may not login!", systemUsername); //$NON-NLS-1$
-			throw new AccessDeniedException(msg);
-		}
-		if (!pwHash.equals(passwordHash)) {
-			String msg = MessageFormat.format("System user {0} has an incorrect password defined!", systemUsername); //$NON-NLS-1$
+		if (pwHash != null) {
+			String msg = MessageFormat.format("System users must not have a password: {0}", systemUsername); //$NON-NLS-1$
 			throw new AccessDeniedException(msg);
 		}

--- a/src/main/java/ch/eitchnet/privilege/model/internal/User.java
+++ b/src/main/java/ch/eitchnet/privilege/model/internal/User.java
@ -105,7 +105,7 @@ public final class User {
 		this.userId = userId;

 		this.username = username;
-		this.password = password;
+		this.password = StringHelper.isEmpty(password) ? null : password;
 		this.userState = userState;

 		this.firstname = firstname;