*/
public LoginAnswer changePassword(HttpServletRequest req) {
try {
// removes old users
this.removeOldUsers();
LoginAnswer answer = createLoginAnswer();
String userId = req.getParameter("USERID");
// needed to prevent problems when user enters username as 'userid '
if (null != userId) {
userId = userId.trim();
}
String passWord = req.getParameter("PASSWORD");
String newPassWord = req.getParameter("NEWPASSWORD");
FetchData fetch = createFetch();
if (userId != null) {
fetch.addValue(userId, "USERID");
answer.setUserId(userId);
} else {
fetch.addValue("", "USERID");
}
answer.setFetch(fetch);
String externalToken = req.getParameter("TOKEN");
// make sure token sent from login is ok (current and the one stored
// for this sessionId)
if (!checkToken(req.getSession().getId(), externalToken)) {
answer.setStatus(LoginAnswer.FAILED);
answer.setInfo("No token");
answer.getFetch().removeValue("PASSWORD");
// log to accessLog
this.logToAccessLog(req, answer, "loginUser");
return answer;
}
// if we have a request not from the login.jsp or missing
// user/password
if (userId == null) {
answer.setStatus(LoginAnswer.FAILED);
answer.setInfo("No userid");
answer.getFetch().removeValue("PASSWORD");
// log to accessLog
this.logToAccessLog(req, answer, "loginUser");
return answer;
}
if (passWord == null) {
answer.setStatus(LoginAnswer.FAILED);
answer.setInfo("No password");
answer.getFetch().removeValue("PASSWORD");
// log to accessLog
this.logToAccessLog(req, answer, "loginUser");
return answer;
}
if (newPassWord == null) {
answer.setStatus(LoginAnswer.FAILED);
answer.setInfo("No new password");
answer.getFetch().removeValue("PASSWORD");
// log to accessLog
this.logToAccessLog(req, answer, "loginUser");
return answer;
}
User userDB = findUser(userId);
// change password is only done for users that arent logged in
if (currentUsers.get(userId) != null) {
answer.setRelogin(true);
answer.setStatus("no relogins allowed");
// there is never any reason to return a password to the client
answer.getFetch().removeValue("PASSWORD");
// log to accessLog
this.logToAccessLog(req, answer, "changePassword");
return answer;
}
answer.setRelogin(false);
// if more than our loginwaittimeout we reset logintimedoubler
GregorianCalendar calendar = new GregorianCalendar();
calendar.add(Calendar.MINUTE, -loginWaitTimeOut);
if (currentFailedUsers.containsKey(userId)
&& calendar.after(currentFailedUsers.get(userId)
.getCalendar())) {
currentFailedUsers.remove(userId);
if (logger.isDebugEnabled()) {
logger.log(Level.DEBUG, "changePassword: reset user");
}
}
// if to many tries no entry
if (currentFailedUsers.containsKey(userId)
&& currentFailedUsers.get(userId).getNoOfWrongTries() > 10) {
answer.setStatus(LoginAnswer.FAILED);
answer.setInfo("To many tries");
answer.getFetch().removeValue("PASSWORD");
// log to accessLog
this.logToAccessLog(req, answer, "changePassword");
return answer;
}
// wrong password
if (!passy.compareHashes(passWord, userDB.getPassword())) {
// double wait time on wrong password....
doubleLoginWait(userId);
// create answer
answer.setLoginWait(currentFailedUsers.get(userId).getWait()
.intValue());
answer.setStatus(LoginAnswer.FAILED);
answer.setInfo("no match for username password in db");
answer.getFetch().removeValue("PASSWORD");
// log to accessLog
this.logToAccessLog(req, answer, "changePassword");
return answer;
}
try {
// if password matches.. and not equal to old
if (userDB.getPassword() != null
&& !newPassWord.equals(passWord)) {
// !!!!!!!!!!!!!!!!!creating new
// user!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
if (logger.isDebugEnabled()) {
logger.log(Level.DEBUG,
"changePassword() creating new user: " + userId);
}
this.getWriteLockUserTable();
try {
// populate the user
currentUsers.put(userId, findUser(userId));
User user = currentUsers.get(userId);
user.setTslastlogin(new Timestamp(System
.currentTimeMillis()));
user.setPassword(passy.generateHash(newPassWord));
user.setChangepassword(new Integer(0));
user.setTspassword(new Timestamp(System
.currentTimeMillis()));
((UserBean) user).store();
user.setLastActivityTimeStamp();
user.setSessionId(req.getSession().getId());
// set default sortlists from the dispatchers lists
setStandardSortOrder(user);
// we set users donelogin to true as we have done a
// login or relogin
user.setFromPage("login.jsp");
// new user should be sent to start...
answer.setReturnToPage("start.jsp");
user.setDoneLogin(true);
// removes user from currentFailedUsers on
// successfull
// login
if (currentFailedUsers.containsKey(userId)) {
currentFailedUsers.remove(userId);
}
// create answer
answer.setStatus("loggedin");
answer.setInfo("new user created");
} finally {
this.releaseWriteLockUserTable();
}
if (logger.isDebugEnabled()) {
logger.log(Level.DEBUG,
"changePassword(): new user complete: "
+ userId);
}
// same new as old password
} else if (newPassWord.equals(passWord)) {
answer.setStatus("password should be changed");
answer.setInfo("same password not allowed");
} else {
// double wait time on wrong password....
doubleLoginWait(userId);
}
} catch (Exception e) {
logger.log(Level.ERROR,
"changePassword() error in creating user:", e);
}
// there is never any reason to return a password to the client
answer.getFetch().removeValue("PASSWORD");
// log to accessLog
this.logToAccessLog(req, answer, "changePassword");
return answer;
} catch (Exception e) {
logger.log(Level.ERROR, "loginUser() error in creating user:", e);
// creating answer
LoginAnswer answer = new LoginAnswer();
answer.setStatus(LoginAnswer.FAILED);
answer.setInfo("error in loginUser");
answer.setFetch(new FetchData());
// log to accessLog
this.logToAccessLog(req, answer, "loginUser");
return answer;
}
}