IDEMPIERE-2558 don't allow use old password when change password / fix daysReuse=0 means this feature is not used / do not save password history if not configured / warning on log when saving plain passwords

org.adempiere.base/src/org/compiere/model/MPasswordHistory.java

@@ -1,17 +1,17 @@
 package org.compiere.model;
 
 import java.sql.ResultSet;
+import java.util.ArrayList;
 import java.util.List;
 import java.util.Properties;
 
 import org.compiere.util.Env;
 
 public class MPasswordHistory extends X_AD_Password_History {
-
 	/**
 	 * 
 	 */
-	private static final long serialVersionUID = 3480028808276906947L;
+	private static final long serialVersionUID = 8602148028134601856L;
 
 	public MPasswordHistory(Properties ctx, int AD_Password_History_ID,
 			String trxName) {
@@ -35,6 +35,9 @@ public class MPasswordHistory extends X_AD_Password_History {
 	 * @return
 	 */
 	public static List<MPasswordHistory> getPasswordHistoryForCheck (int daysReuse, int userId){
+		if (daysReuse <= 0) {
+			return new ArrayList<MPasswordHistory>();
+		}
 		StringBuilder whereClause = new StringBuilder()
 				.append("SYSDATE-")
 				.append(daysReuse)

org.adempiere.base/src/org/compiere/model/MUser.java

@@ -907,14 +907,6 @@ public class MUser extends X_AD_User
 				MPasswordRule pwdrule = MPasswordRule.getRules(getCtx(), get_TrxName());
 				if (pwdrule != null){
 					List<MPasswordHistory> passwordHistorys = MPasswordHistory.getPasswordHistoryForCheck(pwdrule.getDays_Reuse_Password(), this.getAD_User_ID());
-					// for long time user don't use this system, because all password in history table is out of check range. but we will want new password must difference latest password  
-					if (passwordHistorys.size() == 0 && !this.is_new() && this.get_ValueOld(MUser.COLUMNNAME_Password) != null){
-						Object oldSalt = this.get_ValueOld(MUser.COLUMNNAME_Salt);
-						Object oldPassword = this.get_ValueOld(MUser.COLUMNNAME_Password);
-						
-						MPasswordHistory latestPassword = new MPasswordHistory(oldSalt == null?null:oldSalt.toString(), oldPassword == null?null:oldPassword.toString());
-						passwordHistorys.add(latestPassword);
-					}
 					pwdrule.validate((getLDAPUser() != null ? getLDAPUser() : getName()), getPassword(), passwordHistorys);
 				}
 				setDatePasswordChanged(new Timestamp(new Date().getTime()));
@@ -1055,6 +1047,12 @@ public class MUser extends X_AD_User
 	@Override
 	protected boolean afterSave(boolean newRecord, boolean success) {
 		if (getPassword() != null && getPassword().length() > 0 && (newRecord || is_ValueChanged("Password"))) {
+			MPasswordRule pwdrule = MPasswordRule.getRules(getCtx(), get_TrxName());
+			if (pwdrule != null && pwdrule.getDays_Reuse_Password() > 0) {
+				boolean hash_password = MSysConfig.getBooleanValue(MSysConfig.USER_PASSWORD_HASH, false);
+				if (! hash_password) {
+					log.severe("Saving password history: it is strongly encouraged to save password history just when using hashed passwords - WARNING! table AD_Password_History is possibly keeping plain passwords");
+				}
 				MPasswordHistory passwordHistory = new MPasswordHistory(this.getCtx(), 0, this.get_TrxName());
 				passwordHistory.setSalt(this.getSalt());
 				passwordHistory.setPassword(this.getPassword());
@@ -1067,6 +1065,7 @@ public class MUser extends X_AD_User
 				passwordHistory.setDatePasswordChanged(this.getUpdated());
 				passwordHistory.saveEx();
 			}
+		}
 		return super.afterSave(newRecord, success);
 	}
 }	//	MUser