Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11922

Error code(500) is returning when updating a password that exists in the password history(policy configured)

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Minor
    • Resolution: Duplicate
    • Affects Version/s: 13.5.0
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Environment:
      OpenAM 13.5.0
      OpenDJ 3.5.2 (User Store)
    • Rank:
      1|hzudev:
    • Support Ticket IDs:

      Description

      How to re-produce the issue:

      1. Configuring OpenDJ(3.5.2) as external user directory and editing the Default password policy:

      23)  password-history-count                    10
      24)  password-history-duration                 0s

        
      2. Authenticate as amadmin in OpenAM(13.5)
      3. create the user "testy" with password = password99
      then update the password to password88(successfully) and then again to password99(failed) via Postman:

      PUT: http://openam.example.com:8080/openam/json/users/testy

      Headers:

      Key

      Value

      iplanetDirectoryPro AQIC5.....c5AAJTMQAA*
      Content-Type application/json

      Body:

      JSON(application/json)

      {
        "userpassword": "password99"
       }

      Response:

      {
          "code": 500,
          "reason": "Internal Server Error",
          "message": "The provided new password was found in the password history for the user"
      }

      not clear where the error code is coming from (code: performAdditionalPasswordChangedProcessing: 1425):

      // If we should check the password history, then do so now.
      if (newPasswords != null && pwPolicyState.maintainHistory()) {
      for (ByteString v : newPasswords) {
      if (pwPolicyState.isPasswordInHistory(v)
      && (selfChange || !authPolicy.isSkipValidationForAdministrators())) {
      pwpErrorType = PasswordPolicyErrorType.PASSWORD_IN_HISTORY;
      throw new DirectoryException(CONSTRAINT_VIOLATION, ERR_MODIFY_PW_IN_HISTORY.get());
      }
      }
      pwPolicyState.updatePasswordHistory();
      }

       

       

      Customer:

      The error code 500 may be interpreted as a server malfunction when it is not, and we think it should return another error code (maybe a 401 with the same descriptive message?

      Sounds valid, a different code would make more sense(e.g 400?)

       

      IdRepo logs:

      ERROR: An error occured while setting attributes for identity: testy
      org.forgerock.opendj.ldap.ConstraintViolationException: Constraint Violation: The provided new password was found in the password history for the user
              at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:166)
              at org.forgerock.opendj.ldap.spi.ResultLdapPromiseImpl.setResultOrError(ResultLdapPromiseImpl.java:132)
              at org.forgerock.opendj.grizzly.LDAPClientFilter$ClientResponseHandler.modifyResult(LDAPClientFilter.java:301)
              at org.forgerock.opendj.io.LDAPReader.readModifyResult(LDAPReader.java:520)
              at org.forgerock.opendj.io.LDAPReader.readProtocolOp(LDAPReader.java:555)
              at org.forgerock.opendj.io.LDAPReader.readMessage(LDAPReader.java:122)
              at org.forgerock.opendj.grizzly.LDAPBaseFilter.handleRead(LDAPBaseFilter.java:72)
              at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
              at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:284)
              at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:201)
              at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:133)
              at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:112)
              at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
              at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:526)
              at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:112)
              at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:117)
              at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:56)
              at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:137)
              at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:591)
              at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:571)
              at java.lang.Thread.run(Thread.java:748)
      
      amIdm:10/06/2017 01:36:56:375 PM BST: Thread[http-bio-8080-exec-4,5,main]: TransactionId[7a806e9c-e729-475b-9749-f557de54517d-929]
      ERROR: IdServicesImpl.setAttributes: Fatal Exception
      Message:Plug-in org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo encountered an ldap exception 19: The provided new password was found in the password history for the user
      
              at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.handleErrorResult(DJLDAPv3Repo.java:2498)
              at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.setAttributes(DJLDAPv3Repo.java:1051)
              at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.setAttributes(DJLDAPv3Repo.java:865)
              at com.sun.identity.idm.server.IdServicesImpl.setAttributes(IdServicesImpl.java:1702)
              at com.sun.identity.idm.server.IdCachedServicesImpl.setAttributes(IdCachedServicesImpl.java:507)
              at com.sun.identity.idm.AMIdentity.store(AMIdentity.java:535)
              at com.sun.identity.idsvcs.opensso.IdentityServicesImpl.update(IdentityServicesImpl.java:320)
              at org.forgerock.openam.core.rest.IdentityResourceV2.updateInstance(IdentityResourceV2.java:1327)
              at org.forgerock.openam.core.rest.IdentityResourceV3.updateInstance(IdentityResourceV3.java:192)
              at org.forgerock.json.resource.InterfaceCollectionInstance.handleUpdate(InterfaceCollectionInstance.java:74)
              at org.forgerock.json.resource.Router.handleUpdate(Router.java:338)
              at org.forgerock.json.resource.Router.handleUpdate(Router.java:338)
              at org.forgerock.json.resource.FilterChain$Cursor.handleUpdate(FilterChain.java:119)
              at org.forgerock.openam.rest.fluent.AuditFilter.filterUpdate(AuditFilter.java:216)
              at org.forgerock.openam.rest.fluent.AuditFilterWrapper.filterUpdate(AuditFilterWrapper.java:96)
              at org.forgerock.json.resource.FilterChain$Cursor.handleUpdate(FilterChain.java:117)
              at org.forgerock.openam.rest.fluent.CrestLoggingFilter.filterUpdate(CrestLoggingFilter.java:184)
              at org.forgerock.json.resource.FilterChain$Cursor.handleUpdate(FilterChain.java:117)
              at org.forgerock.openam.rest.ContextFilter.filterUpdate(ContextFilter.java:93)
              at org.forgerock.json.resource.FilterChain$Cursor.handleUpdate(FilterChain.java:117)
              at org.forgerock.openam.rest.AuthenticationEnforcer.filterUpdate(AuthenticationEnforcer.java:191)
              at org.forgerock.json.resource.FilterChain$Cursor.handleUpdate(FilterChain.java:117)

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                peter.major Peter Major [X] (Inactive)
                Reporter:
                anastasios.kampas Anastasios Kampas
              • Votes:
                4 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: