-
Type:
Bug
-
Status: Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 12.0.1, 13.0.0
-
Rank:1|hzl8un:
-
Sprint:AM Sustaining Sprint 13, AM Sustaining Sprint 14, AM Sustaining Sprint 15, AM Sustaining Sprint 16
-
Epic Link:
-
Support Ticket IDs:
-
Verified Version/s:
Using the changePassword REST endpoint, via the XUI or the REST service directly, can throw an Internal Server Error:
Since OPENAM-3877, we abstract the LDAP error by an internal error, which is relevant for internal configuration issue that the user shouldn't be aware of, like
The entry uid=bjensen,ou=people,dc=openam,dc=forgerock,dc=org cannot be modified due to insufficient access rights
However, when the error is due to a user mistake, we still have an internal server error. In this case, it will be relevant to return the LDAP error to the user.
- the user sent the wrong old password
- the new password is not respecting the password policy (on DJ)
You can use this curl command:
curl \ --request POST \ --header "iPlanetDirectoryPro: AQIC5wM2LY4SfczOHXUv8Vw4ltNyM86ikW2ipB9RZEA8CRs.*AAJTSQACMDEAAlNLABQtNzMzMDMxMDQ2MDQxNjQ4NzU1NQ..*" \ --header "Content-Type: application/json" \ --data '{ "currentpassword":"wrongpassword", "userpassword":"changeit" }' \ http://openam.example.com:18080/openam/json/users/demo?_action=changePassword
Instead of throwing an internal exception:
public static void changePassword(Context serverContext, String realm, String username, String oldPassword, String newPassword) throws ResourceException { try { SSOToken token = serverContext.asContext(SSOTokenContext.class).getCallerSSOToken(); AMIdentity userIdentity = new AMIdentity(token, username, IdType.USER, realm, null); userIdentity.changePassword(oldPassword, newPassword); } catch (SSOException ssoe) { debug.warning("IdentityRestUtils.changePassword() :: SSOException occurred while changing " + "the password for user: " + username, ssoe); throw new PermanentException(401, "An error occurred while trying to change the password", ssoe); } catch (IdRepoException ire) { if (IdRepoBundle.ACCESS_DENIED.equals(ire.getErrorCode())) { throw new ForbiddenException("The user is not authorized to change the password"); } else { debug.warning("IdentityRestUtils.changePassword() :: IdRepoException occurred while " + "changing the password for user: " + username, ire); throw new InternalServerErrorException("An error occurred while trying to change the password", ire); } } }
we should throw a new type of exception that filter the LDAP exception that could be display to the user.
- depends on
-
OPENDJ-2299 ResultCode.valueOf throw java.lang.IndexOutOfBoundsException if the value is not in [0,16655[
-
- Done
-
- duplicates
-
OPENAM-6614 Generic error message received when trying to change password using REST API
-
- Closed
-
- is related to
-
OPENAM-3877 Changing password through new REST endpoint fails if default AuthN chain needs more than just the password to authenticate
-
- Resolved
-
-
OPENAM-8074 Changing an user password with the same value returns 400 with ldap errorcode=20
-
- Resolved
-
- relates to
-
OPENAM-5562 Users can't change password via XUI/REST API after OPENAM-3877 when using embedded
-
- Resolved
-
-
OPENAM-8174 OpenAM gives an Internal Server Error when the user tries to reset their password before the minimum password age
-
- Resolved
-