fix for https://luceeserver.atlassian.net/browse/LDEV-926

core/src/main/cfml/context/admin/login.new.cfm

@@ -14,19 +14,25 @@ catch(e) {
 <cfoutput><table cellpadding="0" cellspacing="0" border="0" width="500" height="120">
 		<tr>
 			<td align="left">
-				For security reasons it is no longer possible to set the inital password here.<br>
+				For security reasons it is no longer possible to set the inital password here directly.<br>
 	<cfif request.adminType == "server">
-
-
 		Please create a file with name <b>password.txt</b> at <b>#path#</b> containing the password you want.
-		Then restart Lucee, so Lucee will pick up that password, Lucee will delete that file after picking up the password.
+		Then click reload below, Lucee will pick up that password and delete the file afterwards.
 
+
+
 
 	<cfelse>
 		Please set a password for the <a href="server.cfm">Server Administrator</a> and then this password can be used to log into this Web Administrator as well. After that you can set a custom password inside Web Administrator, if you wish.
 	</cfif></td>
 		</tr>
 		</table>
+	<cfif request.adminType == "server">
+		<cfformClassic name="login" action="#request.self#" method="post">
+			<input type="hidden" name="checkPassword" value="true">
+			<input class="button submit" type="submit" name="submit" value="#stText.Buttons.Reload?:'reload'#">
+		</cfformClassic>
+	</cfif>
 </cfoutput>
 <!---
 	<cfformClassic name="login" action="#request.self#" method="post">

core/src/main/cfml/context/admin/resources/language/de.xml

@@ -850,6 +850,7 @@ When checked, any requested files will be inspected only once for potential upda
 	<data key="buttons.filter">filter</data>
 	<data key="buttons.agree">einverstanden</data>
 	<data key="buttons.submit">senden</data>
+	<data key="buttons.reload">neu laden</data>
 	<data key="buttons.stop">stop</data>
 	<data key="buttons.ok">OK</data>
 	<data key="buttons.purge">leeren</data>

core/src/main/cfml/context/admin/resources/language/en.xml

@@ -994,6 +994,7 @@ sct[""bracketNotation""] --> keyname: "bracketNotation"</data>
 	<data key="buttons.agree">agree</data>
 	<data key="buttons.dontagree">I do not agree</data>
 	<data key="buttons.submit">submit</data>
+	<data key="buttons.reload">reload</data>
 	<data key="buttons.stop">stop</data>
 	<data key="buttons.purge">purge</data>
 	<data key="buttons.ok">OK</data>

core/src/main/cfml/context/admin/web.cfm

@@ -41,13 +41,20 @@
 <cfparam name="request.adminType" default="web">
 <cfparam name="form.rememberMe" default="s">
 <cfset ad = request.adminType>
+<cfset request.self = request.adminType & ".cfm">
 
 <cfparam name="cookie.lucee_admin_lang" default="en">
 <cfset session.lucee_admin_lang = cookie.lucee_admin_lang>
 
 <cfset login_error = "">
 
 <!--- Form --->
+<cfif structKeyExists(form, "checkPassword" )>
+	<cfadmin action="checkPassword"
+		type="#request.adminType#">
+	<cflocation url="#request.self#?action=overview" addtoken="no">
+</cfif>
+
 <cfif structKeyExists(form, "login_password" & request.adminType)>
 	<cfadmin action="getLoginSettings"
 		type="#request.adminType#"
@@ -123,7 +130,19 @@
 	</cftry>
 </cfif>
 
-<!--- Session --->
+<!--- we are logged in into the server admin, but not the web admin, may the password is the same? --->
+<cfif ((request.adminType?:"") EQ "web") && 
+	structKeyExists(session, "passwordServer") && 
+	!structKeyExists(session, "passwordWeb")>
+	<cfadmin action="getLoginSettings"
+		type="#request.adminType#"
+		returnVariable="loginSettings">
+	<!--- server password is used --->
+	<cfif (loginSettings.origin?:"")=="server">
+		<cfset session.passwordWeb=session.passwordServer>
+	</cfif>
+</cfif>
+
 <cfif structKeyExists(session, "password" & request.adminType)>
 	<cftry>
 		<cfadmin action="connect"
@@ -154,7 +173,6 @@
 <cfinclude template="resources/text.cfm">
 <cfinclude template="web_functions.cfm">
 
-<cfset request.self = request.adminType & ".cfm">
 
 <cfif !structKeyExists(application, "adminfunctions") or (structKeyExists(session, "alwaysNew") && session.alwaysNew)>
 	<cfset application.adminfunctions = new adminfunctions() />

core/src/main/java/lucee/runtime/config/ConfigImpl.java

@@ -3897,4 +3897,8 @@ public TimeSpan getCachedAfterTimeRange() {
 		if (this.cachedAfterTimeRange != null && this.cachedAfterTimeRange.getMillis() <= 0) this.cachedAfterTimeRange = null;
 		return this.cachedAfterTimeRange;
 	}
+
+	public abstract void checkPassword() throws PageException;
+	// TODO Auto-generated m
+
 }

core/src/main/java/lucee/runtime/config/ConfigServerImpl.java

@@ -303,6 +303,10 @@ protected Password getDefaultPassword() {
 		return defaultPassword;
 	}
 
+	protected boolean hasCustomDefaultPassword() {
+		return defaultPassword != null;
+	}
+
 	/**
 	 * @param defaultPassword The defaultPassword to set.
 	 */
@@ -929,4 +933,19 @@ public WSHandler getWSHandler() throws PageException {
 		}
 		return wsHandler;
 	}
+
+	@Override
+	public void checkPassword() throws PageException {
+		CFMLEngine engine = ConfigWebUtil.getEngine(this);
+		ConfigWeb[] webs = getConfigWebs();
+		try {
+			XMLConfigServerFactory.reloadInstance(engine, this);
+			for (int i = 0; i < webs.length; i++) {
+				XMLConfigWebFactory.reloadInstance(engine, this, (ConfigWebImpl) webs[i], true);
+			}
+		}
+		catch (Exception e) {
+			throw Caster.toPageException(e);
+		}
+	}
 }

core/src/main/java/lucee/runtime/config/ConfigWebImpl.java

@@ -108,6 +108,9 @@ public final class ConfigWebImpl extends ConfigImpl implements ServletConfig, Co
 	private final ConfigServerImpl configServer;
 	private SecurityManager securityManager;
 	private static final LockManager lockManager = LockManagerImpl.getInstance(false);
+	public static final short PASSWORD_ORIGIN_DEFAULT = 1;
+	public static final short PASSWORD_ORIGIN_SERVER = 2;
+	public static final short PASSWORD_ORIGIN_WEB = 3;
 	private Resource rootDir;
 	private final CFMLCompilerImpl compiler = new CFMLCompilerImpl();
 	private CIPage baseComponentPageCFML;
@@ -665,6 +668,7 @@ public List<ExtensionDefintion> loadLocalExtensions() {
 	}
 
 	private WSHandler wsHandler;
+	private short passwordSource;
 
 	@Override
 	public WSHandler getWSHandler() throws PageException {
@@ -683,4 +687,17 @@ public WSHandler getWSHandler() throws PageException {
 		}
 		return wsHandler;
 	}
+
+	protected void setPasswordSource(short passwordSource) {
+		this.passwordSource = passwordSource;
+	}
+
+	public short getPasswordSource() {
+		return passwordSource;
+	}
+
+	@Override
+	public void checkPassword() throws PageException {
+		configServer.checkPassword();
+	}
 }

core/src/main/java/lucee/runtime/config/XMLConfigAdmin.java

@@ -1224,8 +1224,9 @@ public static boolean fixSaltAndPW(Document doc, Config config) {
 		}
 
 		// no password yet
-		if (!root.hasAttribute("hspw") && !root.hasAttribute("pw") && !root.hasAttribute("password")) {
-			Resource pwFile = config.getConfigDir().getRealResource("password.txt");
+		if (config instanceof ConfigServer && !root.hasAttribute("hspw") && !root.hasAttribute("pw") && !root.hasAttribute("password")) {
+			ConfigServer cs = (ConfigServer) config;
+			Resource pwFile = cs.getConfigDir().getRealResource("password.txt");
 			if (pwFile.isFile()) {
 				try {
 					String pw = IOUtil.toString(pwFile, (Charset) null);
@@ -1237,7 +1238,7 @@ public static boolean fixSaltAndPW(Document doc, Config config) {
 					}
 				}
 				catch (IOException e) {
-					LogUtil.logGlobal(config, "application", e);
+					LogUtil.logGlobal(cs, "application", e);
 				}
 			}
 		}

core/src/main/java/lucee/runtime/config/XMLConfigServerFactory.java

@@ -139,14 +139,13 @@ public static ConfigServerImpl newInstance(CFMLEngineImpl engine, Map<String, CF
 	public static void reloadInstance(CFMLEngine engine, ConfigServerImpl configServer)
 			throws SAXException, ClassException, PageException, IOException, TagLibException, FunctionLibException, BundleException {
 		Resource configFile = configServer.getConfigFile();
-
 		if (configFile == null) return;
-		if (second(configServer.getLoadTime()) > second(configFile.lastModified())) return;
+		if (second(configServer.getLoadTime()) > second(configFile.lastModified())) {
+			if (!configServer.getConfigDir().getRealResource("password.txt").isFile()) return;
+		}
 		int iDoNew = doNew(engine, configServer.getConfigDir(), false).updateType;
 		boolean doNew = iDoNew != NEW_NONE;
-
 		load(configServer, loadDocument(configFile), true, doNew);
-
 		((CFMLEngineImpl) ConfigWebUtil.getEngine(configServer)).onStart(configServer, true);
 	}
 

core/src/main/java/lucee/runtime/config/XMLConfigWebFactory.java

@@ -371,7 +371,7 @@ synchronized static void load(ConfigServerImpl cs, ConfigImpl config, Document d
 			}
 			if (LOG) LogUtil.logGlobal(ThreadLocalPageContext.getConfig(cs == null ? config : cs), Log.LEVEL_INFO, XMLConfigWebFactory.class.getName(), "fixed LFI");
 
-			if (XMLConfigAdmin.fixSaltAndPW(doc, ThreadLocalPageContext.getConfig(cs == null ? config : cs))) reload = true;
+			if (XMLConfigAdmin.fixSaltAndPW(doc, config)) reload = true;
 			if (LOG) LogUtil.logGlobal(ThreadLocalPageContext.getConfig(cs == null ? config : cs), Log.LEVEL_INFO, XMLConfigWebFactory.class.getName(), "fixed salt");
 
 			if (XMLConfigAdmin.fixS3(doc)) reload = true;
@@ -2617,8 +2617,14 @@ private static void loadConfig(ConfigServerImpl configServer, ConfigImpl config,
 
 		// password
 		Password pw = PasswordImpl.readFromXML(luceeConfiguration, salt, false);
-		if (pw != null) config.setPassword(pw);
-		else if (configServer != null) config.setPassword(configServer.getDefaultPassword());
+		if (pw != null) {
+			config.setPassword(pw);
+			if (config instanceof ConfigWebImpl) ((ConfigWebImpl) config).setPasswordSource(ConfigWebImpl.PASSWORD_ORIGIN_WEB);
+		}
+		else if (configServer != null) {
+			((ConfigWebImpl) config).setPasswordSource(configServer.hasCustomDefaultPassword() ? ConfigWebImpl.PASSWORD_ORIGIN_DEFAULT : ConfigWebImpl.PASSWORD_ORIGIN_SERVER);
+			config.setPassword(configServer.getDefaultPassword());
+		}
 
 		if (config instanceof ConfigServerImpl) {
 			ConfigServerImpl csi = (ConfigServerImpl) config;

core/src/main/java/lucee/runtime/osgi/VersionRange.java

@@ -4,10 +4,8 @@
 import java.util.Iterator;
 import java.util.List;
 
-import org.osgi.framework.BundleException;
 import org.osgi.framework.Version;
 
-import lucee.print;
 import lucee.commons.lang.StringUtil;
 import lucee.loader.util.Util;
 import lucee.runtime.type.util.ListUtil;
@@ -60,13 +58,6 @@ public String toString() {
 		return sb.toString();
 	}
 
-	public static void main(String[] args) throws BundleException {
-		VersionRange vr = new VersionRange("2.0.0.0 - ,-,,,");
-
-		print.e(vr);
-		print.e(vr.isWithin(OSGiUtil.toVersion("2.0.0.10", null)));
-	}
-
 	private static class VR {
 		private Version from;
 		private Version to;

core/src/main/java/lucee/runtime/tag/Admin.java

@@ -322,6 +322,21 @@ public int doStartTag() throws PageException {
 			return SKIP_BODY;
 		}
 
+		// check Password
+		else if (action.equals("checkpassword")) {
+			try {
+				// ((ConfigWebImpl)config).getConfigServer(arg0)
+
+				config.checkPassword();
+
+				// XMLConfigAdmin._storeAndReload(config);
+			}
+			catch (Exception e) {
+				throw Caster.toPageException(e);
+			}
+			return SKIP_BODY;
+		}
+
 		// update Password
 		else if (action.equals("updatepassword")) {
 
@@ -5092,6 +5107,13 @@ private void doGetLoginSettings() throws ApplicationException, PageException {
 		sct.set("captcha", Caster.toBoolean(c.getLoginCaptcha()));
 		sct.set("delay", Caster.toDouble(c.getLoginDelay()));
 		sct.set("rememberme", Caster.toBoolean(c.getRememberMe()));
+		if (c instanceof ConfigWebImpl) {
+			ConfigWebImpl cw = (ConfigWebImpl) c;
+			short origin = cw.getPasswordSource();
+			if (origin == ConfigWebImpl.PASSWORD_ORIGIN_DEFAULT) sct.set("origin", "default");
+			else if (origin == ConfigWebImpl.PASSWORD_ORIGIN_WEB) sct.set("origin", "web");
+			else if (origin == ConfigWebImpl.PASSWORD_ORIGIN_SERVER) sct.set("origin", "server");
+		}
 
 	}
 

core/src/main/java/resource/context/admin/resources/language/ch-be.xml

@@ -621,6 +621,7 @@ When checked, any requested files will be inspected only once for potential upda
 	<data key="buttons.filter">fiutärä</data>
 	<data key="buttons.agree">iverstandä</data>
 	<data key="buttons.submit">sändä</data>
+	<data key="buttons.reload">nöi lade</data>
 	<data key="buttons.ok">OK</data>
 	<data key="buttons.purge">lärä</data>
 	<data key="buttons.install">installirä</data>

core/src/main/java/resource/context/admin/resources/language/de.xml

@@ -850,6 +850,7 @@ When checked, any requested files will be inspected only once for potential upda
 	<data key="buttons.filter">filter</data>
 	<data key="buttons.agree">einverstanden</data>
 	<data key="buttons.submit">senden</data>
+	<data key="buttons.reload">neu laden</data>
 	<data key="buttons.stop">stop</data>
 	<data key="buttons.ok">OK</data>
 	<data key="buttons.purge">leeren</data>

core/src/main/java/resource/context/admin/resources/language/en.xml

@@ -994,6 +994,7 @@ sct[""bracketNotation""] --> keyname: "bracketNotation"</data>
 	<data key="buttons.agree">agree</data>
 	<data key="buttons.dontagree">I do not agree</data>
 	<data key="buttons.submit">submit</data>
+	<data key="buttons.reload">reload</data>
 	<data key="buttons.stop">stop</data>
 	<data key="buttons.purge">purge</data>
 	<data key="buttons.ok">OK</data>

loader/build.xml

@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <project default="core" basedir="." name="Lucee" xmlns:artifact="antlib:org.apache.maven.artifact.ant">
 
-  <property name="version" value="5.3.4.45-SNAPSHOT"/>
+  <property name="version" value="5.3.4.46-SNAPSHOT"/>
 
   <path id="maven-ant-tasks.classpath" path="../ant/lib/maven-ant-tasks-2.1.3.jar" />
   <typedef resource="org/apache/maven/artifact/ant/antlib.xml"

loader/pom.xml

@@ -3,7 +3,7 @@
 
   <groupId>org.lucee</groupId>
   <artifactId>lucee</artifactId>
-  <version>5.3.4.45-SNAPSHOT</version>
+  <version>5.3.4.46-SNAPSHOT</version>
   <packaging>jar</packaging>
 
   <name>Lucee Loader Build</name>