Implement lazy password hashing change

src/main/java/org/tb/mobile/LoginMobileAction.java

@@ -26,10 +26,28 @@ public ActionForward execute(ActionMapping mapping, ActionForm form, HttpServlet
         boolean isValid = false;
         String username = request.getParameter("username");
         String password = request.getParameter("password");
-        Employee employee = employeeDAO.getLoginEmployee(username);
+        Employee loginEmployee = employeeDAO.getLoginEmployee(username);
 
-        if (employee != null && SecureHashUtils.passwordMatches(password, employee.getPassword())) {
-            long employeeId = employee.getId();
+        boolean passwordMatches = loginEmployee != null && SecureHashUtils.passwordMatches(
+            password,
+            loginEmployee.getPassword()
+        );
+        if (!passwordMatches) {
+            boolean legacyPasswordMatches = loginEmployee != null && SecureHashUtils.legacyPasswordMatches(
+                password, loginEmployee.getPassword()
+            );
+            if (legacyPasswordMatches) {
+                // employee still has old password form
+                // store password again with new hashing algorithm
+                Employee em = employeeDAO.getEmployeeById(loginEmployee.getId());
+                em.changePassword(password);
+                loginEmployee.changePassword(password);
+                employeeDAO.save(em, loginEmployee);
+                passwordMatches = true;
+            }
+        }
+        if (loginEmployee != null && passwordMatches) {
+            long employeeId = loginEmployee.getId();
             isValid = true;
             Date date = new Date();
             Long employeecontractId = employeecontractDAO.getEmployeeContractByEmployeeIdAndDate(employeeId, date).getId();

src/main/java/org/tb/util/SecureHashUtils.java

@@ -22,6 +22,10 @@ public static boolean passwordMatches(String enteredPassword, String hashedPassw
         PasswordEncoder encoder = new BCryptPasswordEncoder(COMPLEXITY);
         return encoder.matches(enteredPassword, hashedPassword);
     }
+
+    public static boolean legacyPasswordMatches(String enteredPassword, String md5HashedPassword) {
+        return makeMD5(enteredPassword).equals(md5HashedPassword);
+    }
 
     /**
      * Makes a md5-hash for a given string.

src/main/java/org/tb/web/action/LoginEmployeeAction.java

@@ -78,9 +78,24 @@ public ActionForward execute(ActionMapping mapping, ActionForm form, HttpServlet
             LoginEmployeeForm loginEmployeeForm = (LoginEmployeeForm) form;
 
             Employee loginEmployee = employeeDAO.getLoginEmployee(loginEmployeeForm.getLoginname());
-            if (loginEmployee == null 
-                || !SecureHashUtils.passwordMatches(loginEmployeeForm.getPassword(), loginEmployee.getPassword())) {
-                return loginFailed(request, "form.login.error.unknownuser", mapping);
+            boolean passwordMatches = loginEmployee != null && SecureHashUtils.passwordMatches(
+                loginEmployeeForm.getPassword(),
+                loginEmployee.getPassword()
+            );
+            if (!passwordMatches) {
+                boolean legacyPasswordMatches = loginEmployee != null && SecureHashUtils.legacyPasswordMatches(
+                    loginEmployeeForm.getPassword(), loginEmployee.getPassword()
+                );
+                if (legacyPasswordMatches) {
+                    // employee still has old password form
+                    // store password again with new hashing algorithm
+                    Employee em = employeeDAO.getEmployeeById(loginEmployee.getId());
+                    em.changePassword(loginEmployeeForm.getPassword());
+                    loginEmployee.changePassword(loginEmployeeForm.getPassword());
+                    employeeDAO.save(em, loginEmployee);
+                } else {
+                    return loginFailed(request, "form.login.error.unknownuser", mapping);
+                }
             }
 
             // check if user is internal or extern