Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-6867

changePassword REST endpoint is not returning LDAP issues that are related to a user mistake.

    XMLWordPrintable

    Details

    • Support Ticket IDs:

      Description

      Using the changePassword REST endpoint, via the XUI or the REST service directly, can throw an Internal Server Error:
      Since OPENAM-3877, we abstract the LDAP error by an internal error, which is relevant for internal configuration issue that the user shouldn't be aware of, like

      The entry uid=bjensen,ou=people,dc=openam,dc=forgerock,dc=org cannot be modified due to insufficient access rights

      However, when the error is due to a user mistake, we still have an internal server error. In this case, it will be relevant to return the LDAP error to the user.

      • the user sent the wrong old password
      • the new password is not respecting the password policy (on DJ)

      You can use this curl command:

      curl \
       --request POST \
       --header "iPlanetDirectoryPro: AQIC5wM2LY4SfczOHXUv8Vw4ltNyM86ikW2ipB9RZEA8CRs.*AAJTSQACMDEAAlNLABQtNzMzMDMxMDQ2MDQxNjQ4NzU1NQ..*" \
       --header "Content-Type: application/json" \
       --data '{
           "currentpassword":"wrongpassword",
           "userpassword":"changeit"
       }' \
       http://openam.example.com:18080/openam/json/users/demo?_action=changePassword
      

      Instead of throwing an internal exception:

      org.forgerock.openam.core.rest.IdentityRestUtils.java
       public static void changePassword(Context serverContext, String realm, String username, String oldPassword,
                  String newPassword) throws ResourceException {
              try {
                  SSOToken token = serverContext.asContext(SSOTokenContext.class).getCallerSSOToken();
                  AMIdentity userIdentity = new AMIdentity(token, username, IdType.USER, realm, null);
                  userIdentity.changePassword(oldPassword, newPassword);
              } catch (SSOException ssoe) {
                  debug.warning("IdentityRestUtils.changePassword() :: SSOException occurred while changing "
                          + "the password for user: " + username, ssoe);
                  throw new PermanentException(401, "An error occurred while trying to change the password", ssoe);
              } catch (IdRepoException ire) {
                  if (IdRepoBundle.ACCESS_DENIED.equals(ire.getErrorCode())) {
                      throw new ForbiddenException("The user is not authorized to change the password");
                  } else {
                      debug.warning("IdentityRestUtils.changePassword() :: IdRepoException occurred while "
                              + "changing the password for user: " + username, ire);
                      throw new InternalServerErrorException("An error occurred while trying to change the password", ire);
                  }
              }
          }
      

      we should throw a new type of exception that filter the LDAP exception that could be display to the user.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                quentin.castel Quentin CASTEL
                Reporter:
                quentin.castel Quentin CASTEL
              • Votes:
                0 Vote for this issue
                Watchers:
                11 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: