-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 6.5.2, 6.5.2.1, 6.5.2.2, 6.5.2.3
-
Component/s: authentication, idrepo
-
Labels:
-
Environment:OpenDJ password policy constraints enabled (Behera enabled too)
-
Rank:1|i01c9j:
-
Sprint:AM Sustaining Sprint 76
-
Story Points:3
-
Support Ticket IDs:
-
Needs QA verification:No
-
Functional tests:Yes
-
Are the reproduction steps defined?:Yes and I used the same an in the description
Bug description
When org.forgerock.openam.idrepo.ldapv3.passwordpolicy.allowDiagnosticMessage
=true is set to true on Advanced Property (on Servers) or thru the JDK properties this will make the password policy error for DJ (if the DJ identity store is used) to be password back when Behera is set in cases user want full DJ error message (not the sanitized version)
But there is some place that this is not giving the full diagnostic error
How to reproduce the issue
- Create a DJ password policy say with alpha numeric
ValidPasswordPolicy : password-policy : userPassword : Clear password-validator Repeated Characters
- Create a subrealm /selfserv and create a new DJ with the DJ password policy for this testuser
- Create self service registration for this realm too
- Goto server advanced property and add org.forgerock.openam.idrepo.ldapv3.passwordpolicy.allowDiagnosticMessage=true
- Test password change on (forgot password in self service, on user login change password, as admin server password change)
Expected behaviour
All tests use DJ password policy detail error. ie have "The provided password value was rejected by a password validator:"
====== UPDATE by ADMIN USING PUT =====
{"code":400,"reason":"Bad Request","message":"The provided password value was rejected by a password validator: The provided password contained too many instances of the same character appearing consecutively. The maximum number of times the same character may appear consecutively in a password is 2"}
====== UPDATE by USER USING PUT =====
{"code":400,"reason":"Bad Request","message":"Cannot update user password via PUT. Use POST with _action=changePassword or _action=forgotPassword."}
======== UPDATE BY ADMIN ON USER CHANGEPASSWORD =========
{"code":400,"reason":"Bad Request","message":"The provided password value was rejected by a password validator: The provided password contained too many instances of the same character appearing consecutively. The maximum number of times the same character may appear consecutively in a password is 2"}
======== UPDATE BY USER ITSELF CHANGEPASSWORD =========
{"code":400,"reason":"Bad Request","message":"The provided password value was rejected by a password validator: The provided password contained too many instances of the same character appearing consecutively. The maximum number of times the same character may appear consecutively in a password is 2"}
Current behaviour
- Self service password change --> give generic password error - Login as testuser and try password change --> given DJ full reason - As admin user (UI), change password --> give generic password error (====== UPDATE by ADMIN USING PUT =====) case: ie getting The password did not meet the password policy requirements.
Can you B-16402.sh to ensure (as an example)
Work around
-
Code analysis
.... Probably should use the Error mapper
- is related to
-
-
- Resolved
-
-
OPENAM-9009 When using REST endpoint "json/users/?_action=create" with password policy violation, AM returns HTTP 400 "bad request", reason "Bad Request" , Message "Bad Request" rather than a more meaningful error message
-
- Resolved
-
-
OPENAM-12050 Password error message not specific
-
- Resolved
-