Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11428

When using REST endpoint "json/users/?_action=create" with password policy violation, AM returns HTTP 400 "bad request", reason "Bad Request" , Message "Bad Request" (for non-Behera case)


    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 13.5.0, 14.1.0
    • Fix Version/s: None
    • Component/s: rest
    • Labels:
    • Environment:
    • Rank:
    • Sprint:
      AM Sustaining Sprint 41, AM Sustaining Sprint 42, AM Sustaining Sprint 43, AM Sustaining Sprint 44, AM Sustaining Sprint 45, AM Sustaining Sprint 46, AM Sustaining Sprint 47, AM Sustaining Sprint 48, AM Sustaining Sprint 49, AM Sustaining Sprint 50, AM Sustaining Sprint 51, AM Sustaining Sprint 52, AM Sustaining Sprint 53, AM Sustaining Sprint 54, AM Sustaining Sprint 55, AM Sustaining Sprint 56
    • Story Points:
    • Needs backport:
    • Support Ticket IDs:
    • Needs QA verification:
    • Functional tests:
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description


      Bug description

      This is a continuation of OPENAM-9009 where in the case that the IdRepo does not have Behera (password policy control) and a LDAP constraint violation happens on the REST userid creation portion.

      How to reproduce the issue

      The steps is the same as in OPENAM-9009 but the different is that
      you goto the Datatstore and disable Behera. (In 14.1.0 w/o the OPENAM-9009 which it is working as non-behera currently) so this can be seen too.

      1. Goto the Datastore and disable Behera Support. (or that the Datastore used does not have Behera support)

      2. Create a password validator

      $ dsconfig \
         -X \
         -p 4444 -h localhost \
         -D cn="Directory Manager" -w password -X -n create-password-validator --validator-name "UserNameNotAllowed" --type attribute-value --set enabled:true --set check-substrings:false --set test-reversed-password:false --set match-attribute:uid

      3, Add the password validator to the Default Password Policy (using dsconfig) to make it simple

      4. Create a new user using REST where the user password is same as the user. (which will cause a password validation issue).

      curl \
       -s -k \
       --request POST \
       --header "iplanetDirectoryPro: $tokenID" \
       --header "Content-Type: application/json" \
       --data \
         "username": "testpassword",
         "userpassword": "testpassword",
         "mail": "testpassword@example.com"
       }' \

      Further testcase to ensure is to use OPENAM-7669/OPENAM-7917 where the unique attribute mail is enforce to ensure this does not cause issue. So you can also

      1. Create a unique attribute on mail

      $HOME/openam/opends/bin/dsconfig create-plugin --port 4444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword cangetinam --plugin-name "Derek" --type unique-attribute --set enabled:true --set base-dn:ou=people,dc=openam,dc=forgerock,dc=org --set type:mail --trustAll --no-prompt

      2. Assign say demo account with demo@example,com

      3. Now create a new user again but with mail=demo@example.com (note this new user is not uid=demo)

      Previous without the fix OPENAM-7669/OPENAM-7917, you may get

      {"code":400,"reason":"Bad Request","message":"Plug-in org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo encountered an ldap exception 19: A unique attribute conflict was detected for attribute mail: value demo@example.com already exists in entry uid=demo,ou=people,dc=openam,dc=forgerock,dc=org"}

      4. So if this is fixed the above should not regress.

      Expected behaviour
      A meaningful error status 400 like :
      {"code":400,"reason":"Bad Request","message":"The password value for attribute userPassword was found to be unacceptable: The provided password was found in another attribute in the user entry"}
      and for the latter unique attribute case constraint:
      {"code":400,"reason":"Bad Request","message":"A unique attribute conflict was detected for attribute mail"}
      Current behaviour
      No more details:
      {"code":400,"reason":"Bad Request"}

      Work around

      Using Password policy (behera) if OPENAM-9009 is fix will give the very general error.

      {"code":400,"reason":"Bad Request","message":"The password did not meet the password policy requirements."} 

      Code analysis

      The fix is to return the message when Constraint violation is made by calling IdRepoException.getConstraintViolationDetails() as this is supposed to sanitize the response and safe to use. (if not then that function itself would be an issue).

      The same thing is done already in the IdentityServicesImpl.update() so that's why the self-service forgotPassword provide the details but not the create endpoint.

      The supposed fix is:

      public void create(IdentityDetails identity, SSOToken admin) throws Res     ourceException {
       else if (e.getLdapErrorIntCode() == LDAPConstants.LDAP_CONSTRAINT_VIOLATION) {
                      debug.error(e.getMessage(), e);
                      throw new BadRequestException(e.getConstraintViolationDetails());

      The above change is tested for both constraint cases and passed.


          Issue Links



              • Assignee:
                lawrence.yarham Lawrence Yarham
                chee-weng.chea C-Weng C
              • Votes:
                0 Vote for this issue
                2 Start watching this issue


                • Created: