Jump to content
  • Password is cleared when editing a user without updating their password

    CategoryBug report

    In a fresh install of JasperReports Server on Windows 10 when updating a user details using the manage users edit screen (e.g. updating email address, assigning a role, setting attributes) the password is cleared if the password fields are left blank.


    Checking the database and decrypting the password showed that it was set to 0000.


    I'll take a guess that there isn't a check to see if you are actually changing password or not and an empty string is submitted and encrypted to 0000 and saved to the database.


    I'm using the REST web services to do user management so it doesn't impact me but I noticed it when we made a few users using the GUI then assigned them some roles and they all ended up with the same password in the database when they should have been different.


    The Windows 10 instance is a local instance, it also happens on our dev server which is Red Hat 5.5. Both instances are using JasperReports Server version 6.3.0.


    The Windows 10 instance is using the default PostgresSQL database and the dev instance is using Oracle 11g.

    The browser I was using is Chrome.

    User Feedback

    Recommended Comments



    I've spent some time playing around this case but couldn't get the same behavior. Checked both Pro and CE versions of JRS 6.3.0. PostgresSQL as db and Chrome as browser.

    I've been checking jiuser table, password field every time I edited the user. Changing name, email, editing roles - all these actions didn't affect my password field (old encrypted value remained).

    This is serious defect which I would like to see fixed in next release but so far I'm not able to see it. Is there something I'm missing? Any additional changes in the applications? Any properties enabled?


    Link to comment
    Share on other sites

    Sorry I've been away and hadn't been able to check.

    I think the cause of the issue is setting the encryption.on property to true in the file /WEB-INF/classes/esapi/security-config.properties.

    When I set it to false and restart the service I can make changes on the manage user screen without the password being changed. When it is set to true the bug occurs.

    Link to comment
    Share on other sites

    You are right, I can see the problem now and it happens only when encryption.on=true. Issue is pre-existing, I see the same behavior in 6.2 as well.

    Bug has been added to the bug tracker with high severity. Fix Version is to be determined.

    Link to comment
    Share on other sites

  • Create New...