this.grantedAuthorityDao = grantedAuthorityDao;\r
}\r
\r
- @Transactional(readOnly=false)\r
- protected Authentication createNewAuthentication(Authentication currentAuth, String newPassword) {\r
- UserDetails user = loadUserByUsername(currentAuth.getName());\r
-\r
- UsernamePasswordAuthenticationToken newAuthentication = new UsernamePasswordAuthenticationToken(user, user.getPassword(), user.getAuthorities());\r
- newAuthentication.setDetails(currentAuth.getDetails());\r
-\r
- return newAuthentication;\r
- }\r
-\r
+ /**\r
+ * Changes the own password of in the database of the user which is\r
+ * currently authenticated. Requires to supply the old password for security\r
+ * reasons. Refreshes the authentication in the SecurityContext after the\r
+ * password change by re-authenticating the user with the new password.\r
+ *\r
+ * @see org.springframework.security.provisioning.UserDetailsManager#changePassword(java.lang.String,\r
+ * java.lang.String)\r
+ */\r
@Override\r
@Transactional(readOnly=false)\r
@PreAuthorize("isAuthenticated()")\r
Assert.hasText(newPassword);\r
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();\r
if(authentication != null && authentication.getPrincipal() != null && authentication.getPrincipal() instanceof User) {\r
+\r
+ // get current authentication and load it from the persistence layer,\r
+ // to make sure we are modifying the instance which is\r
+ // attached to the hibernate session\r
User user = (User)authentication.getPrincipal();\r
+ user = dao.load(user.getUuid());\r
\r
+ // check if old password is valid\r
authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(user.getUsername(), oldPassword));\r
\r
+ // make new password and set it\r
Object salt = this.saltSource.getSalt(user);\r
-\r
String password = passwordEncoder.encodePassword(newPassword, salt);\r
user.setPassword(password);\r
-\r
dao.update(user);\r
- SecurityContextHolder.getContext().setAuthentication(createNewAuthentication(authentication, newPassword));\r
+\r
+ // authenticate the user again with the new password\r
+ UsernamePasswordAuthenticationToken newAuthentication = new UsernamePasswordAuthenticationToken(user, user.getPassword(), user.getAuthorities());\r
+ newAuthentication.setDetails(authentication.getDetails());\r
+ SecurityContextHolder.getContext().setAuthentication(newAuthentication);\r
userCache.removeUserFromCache(user.getUsername());\r
+\r
} else {\r
throw new AccessDeniedException("Can't change password as no Authentication object found in context for current user.");\r
}\r
((User)user).setPassword(password);\r
\r
UUID userUUID = dao.save((User)user);\r
- \r
- \r
+\r
+\r
}\r
- \r
- \r
+\r
+\r
\r
/* (non-Javadoc)\r
* @see org.springframework.security.provisioning.UserDetailsManager#deleteUser(java.lang.String)\r
return grantedAuthorityDao.save((GrantedAuthorityImpl)grantedAuthority);\r
}\r
\r
- \r
+\r
\r
/* (non-Javadoc)\r
* @see eu.etaxonomy.cdm.api.service.IUserService#listByUsername(java.lang.String, eu.etaxonomy.cdm.persistence.query.MatchMode, java.util.List, java.lang.Integer, java.lang.Integer, java.util.List, java.util.List)\r