Re: [xwiki-devs] [Proposal] Introduce a new API method in order to be able to check an user password

Hi, Thanks for the piece of advice. Since I need access to the context and would like to be able to put some warning in the logs if an error occurs while checking the password, I think I would put the method in com.xpn.xwiki.api.User rather than in XWikiUser. But of course I would check for the Programming Rights to avoid Brute force.

Thanks, Thomas On Thu, Apr 25, 2013 at 5:02 PM, Vincent Massol &lt;vincent(a)massol.net&gt; wrote: > Hi, > > On Apr 25, 2013, at 12:15 AM, Denis Gervalle &lt;dgl(a)softec.lu&gt; wrote: > >> On Wed, Apr 24, 2013 at 3:38 PM, Thomas Delafosse < >> thomas.delafosse(a)xwiki.com&gt; wrote: >> >>> Hello all, >>> >>> I've been working on some improvements on user changing password (see >>> XWiki-6882). In particular, I tried to make mandatory, for an user > wanting >>> to change his password, to submit also his current password, so that I >>> could check it. >>> The problem is that there is no way to make this check through > velocity. I >>> tried to use some groovy instead, but it breaks the functional tests. > So I >>> need to introduce a new method "checkPassword" accessible from velocity >>> scripts. The question is, where should I implement it ? >>> There are two possibilities >>> 1) Wrote a new component >>> 2) Add this method in an existing API. >>> I don't really like 1), as I feel it would be strange to introduce a new >>> service with only one method. >>> In the meanwhile, for 2), I don't really know in which API this method >>> could fit. Sergiu told me that I could perhaps put it in >>> com.xpn.xwiki.plugin.rightsmanager.RightsManagerPluginApi, >>> but that it wasn't really good either. Any ideas ? >>> >> >> IMO, you should use an existing API that will be deprecated as soon as we >> have a real security authentication module. However, I not think >> com.xpn.xwiki.plugin.rightsmanager.RightsManagerPluginApi to be the right >> place, I would see it more in com.xpn.xwiki.user.api.XWikiUser, with >> the advantage that reaching it will require PR (preventing brute force >> attack). >> >> In the new authentication module, the abstraction should be really >> improved, allowing to change the password outside of the XWiki as well, > if >> the authentication backend support such feature. The notion of password >> will need to be abstracted as well, since there is more then just > password >> for authentication. So, this will surely be another story, and it is >> not foreseeable now. > > I agree with Denis here. Regarding the location in the existing code, I > don't have any strong opinion. > > Thanks > -Vincent