[SECURITY-84] Custom password validator is called without passing password value Created: 09/Feb/24  Updated: 09/Feb/24

Status: Open
Project: Security
Component/s: None
Affects Version/s: 6.2.20
Fix Version/s: None

Type: Bug Priority: Neutral
Reporter: Roberto Gaona Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
causality
Template:
Acceptance criteria:
Empty

 Description   

When creating a custom Java validator for the password and configuring it with a decoration like this:

 

form:
  tabs:
    user:
      fields:
        pswd:
          # https://docs.magnolia-cms.com/product-docs/6.2/Developing/Templating/Dialog-definition/Field-definition/List-of-fields/Password-field.html
          # Tip: You can add custom field validators to define your own password policy such as minimum length and character types.
          # https://docs.magnolia-cms.com/product-docs/6.2/Developing/Templating/Dialog-definition/Field-definition/Field-validators.html
          validators:
            passwordGuidelineValidator:
              class: de.apobank.corporate.validators.PasswordGuidelineValidatorDefinition
              errorMessage: security-app.user.user.pswd.validation.errorMessage 

The validator doesn't seem to receive the parameter correctly and tries to validate an empty value.

 

This affects the old Security app, where the validate method of PasswordFields doesn't seem to set the password as a parameter to validate correctly.

The client provided a workaround replacing the "super.validate()" call with this:

    //////////////////////////////////////
    // START: TAKEN FROM super.validate();
    if (this.isRequired() && this.isEmpty()) {
        throw new Validator.EmptyValueException(super.getRequiredError());
    } else {
        // START: change
        String fieldValue = super.getValue();
        if (fieldValue == null) {
            super.validate(passwordField.getValue()); // We want the new password of a newly created user
        } else {
            if (isBcryptHashValue(fieldValue)) {
                log.info("Skipping password validation (as we got a bcrypt hash value). Password was not changed.");
            } else {
                super.validate(fieldValue);
            }
        }
        // END: change
    }
    // END: TAKEN FROM super.validate();
    //////////////////////////////////// 

Generated at Mon Feb 12 10:47:44 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.