Hi list,
did anyone notice this ? I found it in a heavily modified installation of GeoNetwork 2.1, but I also see it in a standard installation of GeoNetwork 2.2 :
a logged in user goes to Administration → Change password, then enters a new password twice and saves. The new password is not saved, and the message
Error
The requested operation could not be performed.
UserNotFoundEx : User not found
is displayed. In the log file there’s
2008-04-15 17:47:50,937 INFO [jeeves.request] - HTML Request (from 127.0.0.1) : /geonetwork/srv/en/user.pwupdate
2008-04-15 17:47:50,937 DEBUG [jeeves.request] - Method : POST
2008-04-15 17:47:50,937 DEBUG [jeeves.request] - Content type : application/x-www-form-urlencoded
2008-04-15 17:47:50,937 DEBUG [jeeves.request] - Accept : text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,/;q=0.5
2008-04-15 17:47:50,937 INFO [jeeves.service] - Dispatching : user.pwupdate
2008-04-15 17:47:50,937 DEBUG [jeeves.service] - → parameters are :
myNewPassword
myNewPassword
9cb08d4fbc5e8dbffc9186b348fe3995fc9cddc
2008-04-15 17:47:50,968 ERROR [jeeves.service] - Exception when executing service
2008-04-15 17:47:50,968 ERROR [jeeves.service] - (C) Exc : UserNotFoundEx : User not found
2008-04-15 17:47:50,968 DEBUG [jeeves.service] - Raised exception while executing service
User not found
UserNotFoundEx
2
en
user.pwupdate
2008-04-15 17:47:50,968 INFO [jeeves.service] - → dispatching to error for : user.pwupdate
2008-04-15 17:47:51,015 INFO [jeeves.service] - → transforming with stylesheet : C:\geonetwork220\web\geonetwork/xsl/error.xsl
Cheers,
Heikki Doeleman
Yep - not long before 2.2 final - some one else reported it then - Godofredo I think? - 'User not found' is returned if the user doesn't exist (which is fine) but also if the user exists and the (scrambled) existing password doesn't match (which is not so obvious) - a straightforward fix is to split the query in the service so that you can detect each condition and give an appropriate error message.
Also, to ensure that only the user who knows the existing password can change it, I think the xslt and html form should be modified to force entry of the existing password as well - at present the scrambled password is used to prepopulate the existing password field - which is what Godofredo was saying too I think.
I can commit a fix for both of the above if we're all happy with that.
Cheers,
Simon
heikki wrote:
Hi list,
did anyone notice this ? I found it in a heavily modified installation of GeoNetwork 2.1, but I also see it in a standard installation of GeoNetwork 2.2 :
a logged in user goes to Administration -> Change password, then enters a new password twice and saves. The new password is not saved, and the message
/Error
The requested operation could not be performed.//
UserNotFoundEx : User not found//
/
is displayed. In the log file there's
2008-04-15 17:47:50,937 INFO [jeeves.request] - HTML Request (from 127.0.0.1 <http://127.0.0.1>) : /geonetwork/srv/en/user.pwupdate
2008-04-15 17:47:50,937 DEBUG [jeeves.request] - Method : POST
2008-04-15 17:47:50,937 DEBUG [jeeves.request] - Content type : application/x-www-form-urlencoded
2008-04-15 17:47:50,937 DEBUG [jeeves.request] - Accept : text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
2008-04-15 17:47:50,937 INFO [jeeves.service] - Dispatching : user.pwupdate
2008-04-15 17:47:50,937 DEBUG [jeeves.service] - -> parameters are :
<request>
<newPassword>myNewPassword</newPassword>
<newPassword2>myNewPassword</newPassword2>
<password>9cb08d4fbc5e8dbffc9186b348fe3995fc9cddc</password>
</request>
2008-04-15 17:47:50,968 ERROR [jeeves.service] - Exception when executing service
2008-04-15 17:47:50,968 ERROR [jeeves.service] - (C) Exc : UserNotFoundEx : User not found
2008-04-15 17:47:50,968 DEBUG [jeeves.service] - Raised exception while executing service
<error id="user-not-found">
<message>User not found</message>
<class>UserNotFoundEx</class>
<stack>
<at class="org.fao.geonet.services.user.PwUpdate" file="PwUpdate.java" line="76" method="exec" />
<at class="jeeves.server.dispatchers.ServiceInfo" file="ServiceInfo.java" line="238" method="execService" />
<at class="jeeves.server.dispatchers.ServiceInfo" file="ServiceInfo.java" line="141" method="execServices" />
<at class="jeeves.server.dispatchers.ServiceManager" file="ServiceManager.java" line="376" method="dispatch" />
<at class="jeeves.server.JeevesEngine" file="JeevesEngine.java" line="616" method="dispatch" />
<at class="jeeves.server.sources.http.JeevesServlet" file="JeevesServlet.java" line="163" method="execute" />
<at class="jeeves.server.sources.http.JeevesServlet" file="JeevesServlet.java" line="98" method="doPost" />
<at class="javax.servlet.http.HttpServlet" file="HttpServlet.java" line="616" method="service" />
<at class="javax.servlet.http.HttpServlet" file="HttpServlet.java" line="689" method="service" />
<at class="org.mortbay.jetty.servlet.ServletHolder" file="ServletHolder.java" line="427" method="handle" />
</stack>
<object>2</object>
<request>
<language>en</language>
<service>user.pwupdate</service>
</request>
</error>
2008-04-15 17:47:50,968 INFO [jeeves.service] - -> dispatching to error for : user.pwupdate
2008-04-15 17:47:51,015 INFO [jeeves.service] - -> transforming with stylesheet : C:\geonetwork220\web\geonetwork/xsl/error.xsl
Cheers,
Heikki Doeleman
------------------------------------------------------------------------
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
------------------------------------------------------------------------
_______________________________________________
GeoNetwork-devel mailing list
GeoNetwork-devel@lists.sourceforge.net
geonetwork-devel List Signup and Options
GeoNetwork OpenSource is maintained at GeoNetwork - Geographic Metadata Catalog download | SourceForge.net
Hi Simon,
yes I think the best fix is to remove the automatically pre-populated old password. This involves only a small change to user-pwupdate.xsl. It shouldn’t be pre-populated anyway, as the user should prove he knows his old password before he’s allowed to change it.
Thanks !
Heikki
On Tue, Apr 15, 2008 at 7:37 PM, Simon Pigot <sppigot@anonymised.com> wrote:
Yep - not long before 2.2 final - some one else reported it then - Godofredo I think? - ‘User not found’ is returned if the user doesn’t exist (which is fine) but also if the user exists and the (scrambled) existing password doesn’t match (which is not so obvious) - a straightforward fix is to split the query in the service so that you can detect each condition and give an appropriate error message.
Also, to ensure that only the user who knows the existing password can change it, I think the xslt and html form should be modified to force entry of the existing password as well - at present the scrambled password is used to prepopulate the existing password field - which is what Godofredo was saying too I think.
I can commit a fix for both of the above if we’re all happy with that.
Cheers,
Simon
heikki wrote:
Hi list,
did anyone notice this ? I found it in a heavily modified installation of GeoNetwork 2.1, but I also see it in a standard installation of GeoNetwork 2.2 :
a logged in user goes to Administration → Change password, then enters a new password twice and saves. The new password is not saved, and the message
/Error
The requested operation could not be performed.//
UserNotFoundEx : User not found//
/
is displayed. In the log file there’s
2008-04-15 17:47:50,937 INFO [jeeves.request] - HTML Request (from 127.0.0.1 <http://127.0.0.1>) : /geonetwork/srv/en/user.pwupdate
2008-04-15 17:47:50,937 DEBUG [jeeves.request] - Method : POST
2008-04-15 17:47:50,937 DEBUG [jeeves.request] - Content type : application/x-www-form-urlencoded
2008-04-15 17:47:50,937 DEBUG [jeeves.request] - Accept : text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,/;q=0.5
2008-04-15 17:47:50,937 INFO [jeeves.service] - Dispatching : user.pwupdate
2008-04-15 17:47:50,937 DEBUG [jeeves.service] - → parameters are :
myNewPassword
myNewPassword
9cb08d4fbc5e8dbffc9186b348fe3995fc9cddc
2008-04-15 17:47:50,968 ERROR [jeeves.service] - Exception when executing service
2008-04-15 17:47:50,968 ERROR [jeeves.service] - (C) Exc : UserNotFoundEx : User not found
2008-04-15 17:47:50,968 DEBUG [jeeves.service] - Raised exception while executing service
User not found
UserNotFoundEx
2
en
user.pwupdate
2008-04-15 17:47:50,968 INFO [jeeves.service] - → dispatching to error for : user.pwupdate
2008-04-15 17:47:51,015 INFO [jeeves.service] - → transforming with stylesheet : C:\geonetwork220\web\geonetwork/xsl/error.xsl
Cheers,
Heikki Doeleman
GeoNetwork-devel mailing list
GeoNetwork-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork
–
Inventions cannot, in nature, be a subject of property. – Thomas Jefferson