Why acegi (Spring Security) converts password to uppercase before comparing ?
Posted
by Tony
on Stack Overflow
See other posts from Stack Overflow
or by Tony
Published on 2010-06-12T13:54:26Z
Indexed on
2010/06/12
14:03 UTC
Read the original article
Hit count: 272
One of my colleague in QA team reported a bug to me, the bug said that can't change password to lowercase, otherwise login is rejected,using number or uppercase is all fine. The login system was implemented using acegi 1.0 (now called Spring Security).
This was a very strange bug,changing password is done by encrypting the user input string into MD5 string, I implemented this without using anything related acegi, I don't if the is the origin cause of the problem.
When the login is rejected, through debugging, I find that, the user input is converted into uppercase by acegi when passing to the acegi comparing logic. At first, I didn't believe this, when I checkout the acegi source and debugging with it, I find it does convert both username and password to uppercase (source code line 121), Can you tell me why it does this? This can cause password encoding mismatch!
© Stack Overflow or respective owner