{
// first authenticate the user
try {
UsernamePasswordToken authenticationToken = new UsernamePasswordToken(userId, oldPassword);
if (this.getSecurityManager().authenticate(authenticationToken) == null) {
throw new InvalidCredentialsException();
}
}
catch (org.apache.shiro.authc.AuthenticationException e) {
this.logger.debug("User failed to change password reason: " + e.getMessage(), e);
throw new InvalidCredentialsException();
}
// if that was good just change the password
this.changePassword(userId, newPassword);
}