Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16402

The passwordpolicy.allowDiagnosticMessage should be applicable to admin and selfservice password change.

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 6.5.2, 6.5.2.1, 6.5.2.2, 6.5.2.3
    • Fix Version/s: 7.0.0, 6.5.3
    • Component/s: authentication, idrepo
    • Labels:
    • Environment:
      OpenDJ password policy constraints enabled (Behera enabled too)
    • Rank:
      1|i01c9j:
    • Sprint:
      AM Sustaining Sprint 76
    • Story Points:
      3
    • Support Ticket IDs:
    • Needs QA verification:
      No
    • Functional tests:
      Yes
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

       Bug description

      When org.forgerock.openam.idrepo.ldapv3.passwordpolicy.allowDiagnosticMessage
      =true is set to true on  Advanced Property (on Servers) or thru the JDK properties this will make the password policy error for DJ (if the DJ identity store is used) to be password back when Behera is set in cases user want full DJ error message (not the sanitized version)

       

      But there is some place that this is not giving the full diagnostic error

      How to reproduce the issue

      1. Create a DJ password policy say with alpha numeric
        ValidPasswordPolicy     : password-policy : userPassword       : Clear
        password-validator                         Repeated Characters
        
      1. Create a subrealm /selfserv and create a new DJ with the DJ password policy for this testuser
      2. Create self service registration for this realm too
      3. Goto server advanced property and add org.forgerock.openam.idrepo.ldapv3.passwordpolicy.allowDiagnosticMessage=true
      4. Test password change on (forgot password in self service, on user login change password, as admin server password change)
      Expected behaviour
      All tests use DJ password policy detail error. ie have "The provided password value was rejected by a password validator:"
      ====== UPDATE by ADMIN USING PUT =====
      {"code":400,"reason":"Bad Request","message":"The provided password value was rejected by a password validator: The provided password contained too many instances of the same character appearing consecutively. The maximum number of times the same character may appear consecutively in a password is 2"}
      ====== UPDATE by USER USING PUT =====
      {"code":400,"reason":"Bad Request","message":"Cannot update user password via PUT. Use POST with _action=changePassword or _action=forgotPassword."}
      ======== UPDATE BY ADMIN ON USER CHANGEPASSWORD =========
      {"code":400,"reason":"Bad Request","message":"The provided password value was rejected by a password validator: The provided password contained too many instances of the same character appearing consecutively. The maximum number of times the same character may appear consecutively in a password is 2"}
      ======== UPDATE BY USER ITSELF CHANGEPASSWORD =========
      {"code":400,"reason":"Bad Request","message":"The provided password value was rejected by a password validator: The provided password contained too many instances of the same character appearing consecutively. The maximum number of times the same character may appear consecutively in a password is 2"}
      
      Current behaviour
      - Self service password change --> give generic password error
      - Login as testuser and try password change --> given DJ full reason
      - As admin user (UI), change password  --> give generic password error (====== UPDATE by ADMIN USING PUT =====) case: ie getting The password did not meet the password policy requirements.

      Can you B-16402.sh to ensure (as an example)

      Work around

      -

      Code analysis

      IdentityServicesImpl.java
      .... Probably should use the Error mapper
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                chee-weng.chea C-Weng C
                Reporter:
                chee-weng.chea C-Weng C
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: