Using Case Insensitive Login Names

The Personalization module includes the profile attributes login and password for each registered user of a Web site. These properties are both case sensitive when performing login queries. If you want to use case-insensitive login names, you need to store a version of the login name with all lowercase characters. Using case-insensitive passwords is not recommended because of security precautions. Using case-insensitive passwords makes it easier for other users or systems to guess a password. To configure the system to use case-insensitive login names, you need to subclass the Profile Form Handler and configure an attribute that converts the login name to lowercase using Java’s toLowerCase method.

First, add a String attribute to the Profile object. You can call this String anything you want; it represents the login name as the user enters it into the form. In this example, this String is called memberName. The lower case version of the memberName is stored in the login attribute.

Then, modify your basic registration form so that the login name field references the memberName attribute. Next, subclass the Profile Form Handler so that it converts the memberName attribute to lowercase and copies it to the login name attribute. You can do this by overriding the preCreateUser method of the ProfileFormHandler class. Once the super-class performs its operation, you can check the ProfileFormHandler.value Dictionary property to see if the memberName attribute was submitted. If it is found, then convert the memberName attribute to lowercase and place it in the ProfileFormHandler.value Dictionary property under the key login. The remainder of the registration process in the form then automatically updates the login profile attribute with the lowercase value. The following code demonstrates this explanation:

protected void preCreateUser(DynamoHttpServletRequest pRequest,
                             DynamoHttpServletResponse pResponse)
     throws ServletException, IOException
{
   super.preCreateUser(pRequest, pResponse);
   // Look for the submitted member name
   String memberName = getValue().get("memberName")

   if (memberName != null) {
     // Normalize the member name
     String login = memberName.toLowerCase();
     getValue().put("login", login);
   }
   else {
     // If the member name is not available, then make sure we clear out
     // any old login values
     getValue().remove("login");
   }
}

If you allow site members to change their login name after registration, you need to make sure that the memberName and login attributes are still in sync and that the login value is always the lowercase version of the memberName value. To do this, override the ProfileFormHandler.preUpdateUser methods so that it performs the same function as the preCreateUser example above. This ensures that the login and authentication process also uses the lowercase version of the login name when performing queries.

If all your authentication is performed through the ProfileFormHandler, then you can override the findUser method. For example:

protected RepositoryItem findUser(String pLogin,
                                  String pPassword,
                                  Repository pProfileRepository,
                                  DynamoHttpServletRequest pRequest,
                                  DynamoHttpServletResponse pResponse)
     throws RepositoryException, ServletException, IOException
{
   if (pLogin != null) {
     return super.findUser(pLogin.toLowerCase(), pPassword,
                           pProfileRepository, pRequest, pResponse);
   }
   else {
     return super.findUser(pLogin, pPassword,
                           pProfileRepository, pRequest, pResponse);
   }
}

In this example the super.findUser methods uses the ProfileTools.getItem method. If you examine the ProfileForm class code, you can see that this method does the following:

return getProfileTools().getItem(pLogin, pPassword, getLoginProfileType());

If you use the ProfileTools class to perform authentication in other areas of your Web site, then you should override this getItem method so that it also performs the toLowerCase operation. For example, you could use the following code to override the getItem method:

public RepositoryItem getItem(String pLogin, String pPassword,
                              String pProfileType)
{
   if (pLogin != null) {
     return super.getItem(pLogin.toLowerCase(), pPassword, pProfileType);
   }
   else {
     return super.getItem(pLogin, pPassword, pProfileType);
   }
}

Copyright © 1997, 2012 Oracle and/or its affiliates. All rights reserved.

Legal Notices