Why acegi (Spring Security) converts password to uppercase before comparing ?

Posted by Tony on Stack Overflow See other posts from Stack Overflow or by Tony
Published on 2010-06-12T13:54:26Z Indexed on 2010/06/12 14:03 UTC
Read the original article Hit count: 278

Filed under:
|
|
|

One of my colleague in QA team reported a bug to me, the bug said that can't change password to lowercase, otherwise login is rejected,using number or uppercase is all fine. The login system was implemented using acegi 1.0 (now called Spring Security).

This was a very strange bug,changing password is done by encrypting the user input string into MD5 string, I implemented this without using anything related acegi, I don't if the is the origin cause of the problem.

When the login is rejected, through debugging, I find that, the user input is converted into uppercase by acegi when passing to the acegi comparing logic. At first, I didn't believe this, when I checkout the acegi source and debugging with it, I find it does convert both username and password to uppercase (source code line 121), Can you tell me why it does this? This can cause password encoding mismatch!

© Stack Overflow or respective owner

Related posts about java

Related posts about spring