1

I have been through this. From that I infer, findBy queries are Case Sensitive and you can add IgnoreCase for the case insensitive behavior.

I have created a login controller where I am checking if the user credentials are correct or not using findBy query.

myUserDao.findByLoginIdAndPassword(loginId, password);

I am testing this using a Rest Client.

The user present in the DB has loginId as testuser and a encrypted password a12f4ae0cd227501191616c77ac0a234.

Now when I enter the user as Testuser and password as a12f4ae0cd227501191616c77ac0a234 the user is still able to login. The find by query returns successfully with a MyUser Entity even though the username entered has a different case.

=================

EDIT 1: Code for Login

@RequestMapping(method = RequestMethod.POST, consumes = "application/json", produces = "application/json")
    public ResponseEntity<String> loginUser(@RequestBody Map<String, String> rawpayload) {

        String loginId = null;
        String password = null;

        try {
            loginId = rawpayload.get("loginId");
            password = rawpayload.get("password");
        } catch (Exception e) {
            logger.error("",e);
            return ResponseEntity.status(HttpStatus.BAD_REQUEST).body("Please check your payload format.");
        }

        MyUser myUser = myUserDao.findByLoginIdAndPassword(loginId, password);

        if (myUser == null) {
            logger.error("Invalid login ID(" + loginId + ") and password.");
            return ResponseEntity.status(HttpStatus.UNAUTHORIZED)
                    .body(CommonUtils.createErrorResponseMessage("Invalid loginId or password."));
        }

    }

    logger.info("User '" + loginId + "' logged in successfully.");
    return jsonUtils.getJsonForResponse(myUser);
}
Community
  • 1
  • 1
amitection
  • 2,696
  • 8
  • 25
  • 46
  • Then I doubt that your check is actually correct. Also which database are you using (some are case insensitive by default!) and show the code you use to check the passwords/usernames. – M. Deinum Jan 03 '17 at 11:59
  • @M.Deinum I am using MySql. I have updated the question with the code – amitection Jan 03 '17 at 12:32
  • 1
    Which is case insensitive by default. Also why are you doing a query with password? Client should send plain password, you should check which you should encrypt and then check the values. (Also instead of rolling your own, I suggest using Spring Security instead). – M. Deinum Jan 03 '17 at 13:08

0 Answers0