Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-6867

changePassword REST endpoint is not returning LDAP issues that are related to a user mistake.

    Details

    • Support Ticket IDs:

      Description

      Using the changePassword REST endpoint, via the XUI or the REST service directly, can throw an Internal Server Error:
      Since OPENAM-3877, we abstract the LDAP error by an internal error, which is relevant for internal configuration issue that the user shouldn't be aware of, like 

      The entry uid=bjensen,ou=people,dc=openam,dc=forgerock,dc=org cannot be modified due to insufficient access rights

      However, when the error is due to a user mistake, we still have an internal server error. In this case, it will be relevant to return the LDAP error to the user.

      • the user sent the wrong old password
      • the new password is not respecting the password policy (on DJ)

      You can use this curl command:

      curl \
 --request POST \
 --header "iPlanetDirectoryPro: AQIC5wM2LY4SfczOHXUv8Vw4ltNyM86ikW2ipB9RZEA8CRs.*AAJTSQACMDEAAlNLABQtNzMzMDMxMDQ2MDQxNjQ4NzU1NQ..*" \
 --header "Content-Type: application/json" \
 --data '{
     "currentpassword":"wrongpassword",
     "userpassword":"changeit"
 }' \
 http://openam.example.com:18080/openam/json/users/demo?_action=changePassword

      Instead of throwing an internal exception:

      org.forgerock.openam.core.rest.IdentityRestUtils.java
       public static void changePassword(Context serverContext, String realm, String username, String oldPassword,
            String newPassword) throws ResourceException {
        try {
            SSOToken token = serverContext.asContext(SSOTokenContext.class).getCallerSSOToken();
            AMIdentity userIdentity = new AMIdentity(token, username, IdType.USER, realm, null);
            userIdentity.changePassword(oldPassword, newPassword);
        } catch (SSOException ssoe) {
            debug.warning("IdentityRestUtils.changePassword() :: SSOException occurred while changing "
                    + "the password for user: " + username, ssoe);
            throw new PermanentException(401, "An error occurred while trying to change the password", ssoe);
        } catch (IdRepoException ire) {
            if (IdRepoBundle.ACCESS_DENIED.equals(ire.getErrorCode())) {
                throw new ForbiddenException("The user is not authorized to change the password");
            } else {
                debug.warning("IdentityRestUtils.changePassword() :: IdRepoException occurred while "
                        + "changing the password for user: " + username, ire);
                throw new InternalServerErrorException("An error occurred while trying to change the password", ire);
            }
        }
    }

      we should throw a new type of exception that filter the LDAP exception that could be display to the user.

        Attachments

          Issue Links

          depends on

          Bug - A problem which impairs or prevents the functions of the product. OPENDJ-2299 ResultCode.valueOf throw java.lang.IndexOutOfBoundsException if the value is not in [0,16655[

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Done
          duplicates

          Improvement - An improvement or enhancement to an existing feature or task. OPENAM-6614 Generic error message received when trying to change password using REST API

          • Major - Major loss of function.
          • Closed
          is related to

          Bug - A problem which impairs or prevents the functions of the product. OPENAM-3877 Changing password through new REST endpoint fails if default AuthN chain needs more than just the password to authenticate

          • Major - Major loss of function.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. OPENAM-8074 Changing an user password with the same value returns 400 with ldap errorcode=20

          • Major - Major loss of function.
          • Resolved
          relates to

          Bug - A problem which impairs or prevents the functions of the product. OPENAM-5562 Users can't change password via XUI/REST API after OPENAM-3877 when using embedded

          • Major - Major loss of function.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. OPENAM-8174 OpenAM gives an Internal Server Error when the user tries to reset their password before the minimum password age

          • Major - Major loss of function.
          • Resolved

            Activity

              People

              • Assignee:
                quentin.castel Quentin CASTEL [X] (Inactive)
                Reporter:
                quentin.castel Quentin CASTEL [X] (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                11 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: