Chapter 10. Kernel Tutorial 121
12. How do I set a user’s password?
Given the user’s UserAuthentication object, auth.setPassword(password) sets the user’s
password.
Caution
Use the method auth.setPassword(password) carefully, as it can allow an attacker to override the
user’s password.
com.arsdigita.ui.login.PasswordValidationListener is a
ParameterValidationListener that checks whether a form parameter value is a strong
password. This listener should always be used before setting the user’s password. See
com.arsdigita.ui.login.ChangePasswordFormfor an example.
13. What is / How do I get a user’s UserAuthentication object?
There are four methods for retrieving a user’s UserAuthentication object:
1. UserAuthentication.retrieveForLoginName(String loginName)
2. UserAuthentication.retrieveForUser(OID userOID)
3. UserAuthentication.retrieveForUser(BigDecimal userID)
4. UserAuthentication.retrieveForUser(User user)
The first is appropriate if the username is entered in a form; the last two are appropriate if the user is
already logged in. The UserAuthenticationobject allows code to check and set a user’s password
and password retrieval question and answer.
Caution
Access to the UserAuthentication object is dangerous, since it can allow an attacker to compro-
mise a user’s account. If at all possible, use the provided UI components and login modules rather
than access this object directly.
14. What is / How do I use the SecurityLogger class?
SecurityLogger wraps the Log4j category called SECURITY. It provides static methods for ap-
pending entries to that log, and automatically inserts the current date and time and, if applicable, the
current client’s IP address.
SecurityLoggeris used to log security-relevant events for future auditing. Examples ofsuch events
are bad passwords, malformed cookies, and expired login page accesses. To use the class, simply call
the appropriate class method, such as SecurityLogger.warn().
