Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-9009

When using REST endpoint "json/users/?_action=create" with password policy violation, AM returns HTTP 400 "bad request", reason "Bad Request" , Message "Bad Request" rather than a more meaningful error message

    Details

    • Type: New Feature
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 13.0.0
    • Fix Version/s: 13.5.1, 14.5.0, 14.1.2
    • Component/s: rest
    • Labels:
    • Sprint:
      AM Sustaining Sprint 31, AM Sustaining Sprint 32, AM Sustaining Sprint 33, AM Sustaining Sprint 34, AM Sustaining Sprint 35, AM Sustaining Sprint 36, AM Sustaining Sprint 37
    • Story Points:
      5
    • Support Ticket IDs:

      Description

      When setting Password Constraints on OpenDJ. I set for passwords to be validated against dictionary.

      In AM 11, the Rest API would report back an "ldap exception 19" now it reports back 400/bad request in AM 13

      This is what OpenAM 13 shows from the client:

      curl --request POST --header "am13iPlanetDirectoryPro: AQIC5wM2LY4SfcxLhGRcgPzBxCP8Go1Cqa5lQz8WI7QDy9s.*AAJTSQACMDEAAlNLABQtMjg1Mjc4ODY1NDUxNzc2NDE1MgACUzEAAA..*" --header "Content-Type: application/json" --data '{ "username": "bjensen", "userpassword": "secret12", "mail": "bjensen@example.com"}' http://openam.example.com:1300/openam/json/dj/users/?_action=create
{"code":400,"reason":"Bad Request","message":"Bad Request"}

      IdRepo logs show the true meaning behind the error: "The password value for attribute userPassword was found to be unacceptable: The provided password contained a word from the server's dictionary"

      
DJLDAPv3Repo:05/27/2016 05:55:52:032 PM PDT: Thread[http-bio-1300-exec-6,5,main]: TransactionId[81d59535-2fc0-4dc0-8a19-3b4fe2d6e9fe-1013]
ERROR: Unable to add a new entry: bjensen attrMap: {uid=[bjensen], sn=[bjensen], mail=[bjensen@example.com], cn=[bjensen], inetuserstatus=[Active], userpassword=xxx..., objectclass=[devicePrintProfilesContainer, person, sunIdentityServerLibertyPPService, inetorgperson, sunFederationManagerDataStore, oathDeviceProfilesContainer, iPlanetPreferences, iplanet-am-auth-configuration-service, sunFMSAML2NameIdentifier, organizationalperson, inetuser, kbaInfoContainer, forgerock-am-dashboard-service, iplanet-am-managed-person, iplanet-am-user-service, sunAMAuthAccountLockout, top]}
org.forgerock.opendj.ldap.ConstraintViolationException: Constraint Violation: The password value for attribute userPassword was found to be unacceptable: The provided password contained a word from the server's dictionary
	at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:176)
	at org.forgerock.opendj.ldap.spi.ResultLdapPromiseImpl.setResultOrError(ResultLdapPromiseImpl.java:142)
	at org.forgerock.opendj.grizzly.LDAPClientFilter$ClientResponseHandler.addResult(LDAPClientFilter.java:126)
	at org.forgerock.opendj.io.LDAPReader.readAddResult(LDAPReader.java:173)
	at org.forgerock.opendj.io.LDAPReader.readProtocolOp(LDAPReader.java:571)
	at org.forgerock.opendj.io.LDAPReader.readMessage(LDAPReader.java:132)
	at org.forgerock.opendj.grizzly.LDAPBaseFilter.handleRead(LDAPBaseFilter.java:82)
	at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
	at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:283)
	at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:200)
	at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:132)
	at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:111)
	at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
	at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:536)
	at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:112)
	at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:117)
	at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:56)
	at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:137)
	at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:591)
	at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:571)
	at java.lang.Thread.run(Thread.java:745)

amIdm:05/27/2016 05:55:52:033 PM PDT: Thread[http-bio-1300-exec-6,5,main]: TransactionId[81d59535-2fc0-4dc0-8a19-3b4fe2d6e9fe-1013]
ERROR: IdServicesImpl.create: Create: Fatal Exception
Message:Plug-in org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo encountered an ldap exception 19: The password value for attribute userPassword was found to be unacceptable: The provided password contained a word from the server's dictionary

	at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.handleErrorResult(DJLDAPv3Repo.java:2480)
	at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.create(DJLDAPv3Repo.java:682)
	at com.sun.identity.idm.server.IdServicesImpl.create(IdServicesImpl.java:450)
	at com.sun.identity.idm.AMIdentityRepository.createIdentity(AMIdentityRepository.java:462)
	at com.sun.identity.idsvcs.opensso.IdentityServicesImpl.create(IdentityServicesImpl.java:158)
	at org.forgerock.openam.core.rest.IdentityResourceV2.attemptResourceCreation(IdentityResourceV2.java:1192)
	at org.forgerock.openam.core.rest.IdentityResourceV2.createInstance(IdentityResourceV2.java:1159)
	at org.forgerock.openam.core.rest.IdentityResourceV3.createInstance(IdentityResourceV3.java:161)
	at org.forgerock.json.resource.InterfaceCollectionHandler.handleCreate(InterfaceCollectionHandler.java:40)
	at org.forgerock.json.resource.Router.handleCreate(Router.java:255)
	at org.forgerock.json.resource.Router.handleCreate(Router.java:255)
	at org.forgerock.json.resource.FilterChain$Cursor.handleCreate(FilterChain.java:69)
	at org.forgerock.openam.rest.fluent.AuditFilter.filterCreate(AuditFilter.java:110)
	at org.forgerock.openam.rest.fluent.AuditFilterWrapper.filterCreate(AuditFilterWrapper.java:66)
	at org.forgerock.json.resource.FilterChain$Cursor.handleCreate(FilterChain.java:67)
	at org.forgerock.openam.rest.fluent.CrestLoggingFilter.filterCreate(CrestLoggingFilter.java:92)
	at org.forgerock.json.resource.FilterChain$Cursor.handleCreate(FilterChain.java:67)
	at org.forgerock.openam.rest.ContextFilter.filterCreate(ContextFilter.java:63)
	at org.forgerock.json.resource.FilterChain$Cursor.handleCreate(FilterChain.java:67)
	at org.forgerock.openam.rest.AuthenticationEnforcer.filterCreate(AuthenticationEnforcer.java:146)
	at org.forgerock.json.resource.FilterChain$Cursor.handleCreate(FilterChain.java:67)
	at org.forgerock.json.resource.FilterChain.handleCreate(FilterChain.java:213)
	at org.forgerock.json.resource.Router.handleCreate(Router.java:255)
	at org.forgerock.json.resource.FilterChain$Cursor.handleCreate(FilterChain.java:69)
	at org.forgerock.openam.rest.ContextFilter.filterCreate(ContextFilter.java:63)
	at org.forgerock.json.resource.FilterChain$Cursor.handleCreate(FilterChain.java:67)
	at org.forgerock.json.resource.FilterChain.handleCreate(FilterChain.java:213)
	at org.forgerock.json.resource.InternalConnection.createAsync(InternalConnection.java:44)
	at org.forgerock.json.resource.http.RequestRunner.visitCreateRequest(RequestRunner.java:160)
	at org.forgerock.json.resource.http.RequestRunner.visitCreateRequest(RequestRunner.java:73)
	at org.forgerock.json.resource.Requests$CreateRequestImpl.accept(Requests.java:258)
	at org.forgerock.json.resource.http.RequestRunner.handleResult(RequestRunner.java:119)
	at org.forgerock.json.resource.http.HttpAdapter$2.apply(HttpAdapter.java:566)
	at org.forgerock.json.resource.http.HttpAdapter$2.apply(HttpAdapter.java:563)
	at org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:221)
	at org.forgerock.json.resource.http.HttpAdapter.doRequest(HttpAdapter.java:562)
	at org.forgerock.json.resource.http.HttpAdapter.doCreate(HttpAdapter.java:432)
	at org.forgerock.json.resource.http.HttpAdapter.handle(HttpAdapter.java:161)
	at org.forgerock.http.handler.Chain.handle(Chain.java:57)
	at org.forgerock.http.filter.OptionsFilter.filter(OptionsFilter.java:77)
	at org.forgerock.http.handler.Chain.handle(Chain.java:55)
	at org.forgerock.http.handler.Chain.handle(Chain.java:57)
	at org.forgerock.openam.rest.CrestProtocolEnforcementFilter.filter(CrestProtocolEnforcementFilter.java:61)
	at org.forgerock.http.handler.Chain.handle(Chain.java:55)
	at org.forgerock.http.routing.Router.handle(Router.java:92)
	at org.forgerock.http.handler.Chain.handle(Chain.java:57)
	at org.forgerock.openam.rest.RealmContextFilter.filter(RealmContextFilter.java:84)
	at org.forgerock.http.handler.Chain.handle(Chain.java:55)
	at org.forgerock.http.routing.Router.handle(Router.java:92)
	at org.forgerock.http.handler.Chain.handle(Chain.java:57)
	at org.forgerock.http.routing.ResourceApiVersionRoutingFilter.filter(ResourceApiVersionRoutingFilter.java:64)
	at org.forgerock.http.handler.Chain.handle(Chain.java:55)
	at org.forgerock.caf.authentication.framework.AuthenticationFramework.grantAccess(AuthenticationFramework.java:220)
	at org.forgerock.caf.authentication.framework.AuthenticationFramework.access$400(AuthenticationFramework.java:65)
	at org.forgerock.caf.authentication.framework.AuthenticationFramework$3.apply(AuthenticationFramework.java:212)
	at org.forgerock.caf.authentication.framework.AuthenticationFramework$3.apply(AuthenticationFramework.java:205)
	at org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:221)
	at org.forgerock.caf.authentication.framework.AuthenticationFramework.validateRequest(AuthenticationFramework.java:168)
	at org.forgerock.caf.authentication.framework.AuthenticationFramework.access$100(AuthenticationFramework.java:65)
	at org.forgerock.caf.authentication.framework.AuthenticationFramework$1.apply(AuthenticationFramework.java:155)
	at org.forgerock.caf.authentication.framework.AuthenticationFramework$1.apply(AuthenticationFramework.java:152)
	at org.forgerock.util.promise.PromiseImpl$7.handleStateChange(PromiseImpl.java:445)
	at org.forgerock.util.promise.PromiseImpl.handleCompletion(PromiseImpl.java:521)
	at org.forgerock.util.promise.PromiseImpl.addOrFireListener(PromiseImpl.java:509)
	at org.forgerock.util.promise.PromiseImpl.thenAsync(PromiseImpl.java:438)
	at org.forgerock.caf.authentication.framework.AuthenticationFramework.processMessage(AuthenticationFramework.java:146)
	at org.forgerock.caf.authentication.framework.AuthenticationFilter.filter(AuthenticationFilter.java:96)
	at org.forgerock.http.handler.Chain.handle(Chain.java:55)
	at org.forgerock.openam.http.HandlerProvider.handle(HandlerProvider.java:50)
	at org.forgerock.openam.http.HttpRoute$3.handle(HttpRoute.java:142)
	at org.forgerock.http.routing.Router.handle(Router.java:92)
	at org.forgerock.http.handler.Chain.handle(Chain.java:57)
	at org.forgerock.http.filter.TransactionIdInboundFilter.filter(TransactionIdInboundFilter.java:60)
	at org.forgerock.http.handler.Chain.handle(Chain.java:55)
	at org.forgerock.http.servlet.HttpFrameworkServlet.service(HttpFrameworkServlet.java:222)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:106)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:51)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)
	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:313)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
	at java.lang.Thread.run(Thread.java:745)

      DJ Access logs are showing:
[27/May/2016:17:55:51 -0700] ADD REQ conn=1 op=217 msgID=218 dn="uid=bjensen,ou=people,dc=example,dc=com"
[27/May/2016:17:55:51 -0700] ADD RES conn=1 op=217 msgID=218 result=19 message="The password value for attribute userPassword was found to be unacceptable: The provided password contained a word from the server's dictionary" etime=1
[27/May/2016:17:55:53 -0700] SEARCH REQ conn=2 op=212 msgID=213 base="" scope=base filter="(objectClass=*)" attrs="1.1"
[27/May/2016:17:55:53 -0700] SEARCH RES conn=2 op=212 msgID=213 result=0 nentries=1 etime=0

        Attachments

          Issue Links

          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. OPENAM-9860 Creating a user via json/users that does not meet password requirements results in 404 status

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. OPENAM-11922 Error code(500) is returning when updating a password that exists in the password history(policy configured)

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed
          is related to

          Bug - A problem which impairs or prevents the functions of the product. OPENAM-11428 When using REST endpoint "json/users/?_action=create" with password policy violation, AM returns HTTP 400 "bad request", reason "Bad Request" , Message "Bad Request" (for non-Behera case)

          • Major - Major loss of function.
          • Resolved
          relates to

          Bug - A problem which impairs or prevents the functions of the product. OPENAM-9459 500 Internal Server Error from changePassword endpoint with AD repo

          • Major - Major loss of function.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. OPENAM-16402 The passwordpolicy.allowDiagnosticMessage should be applicable to admin and selfservice password change.

          • Major - Major loss of function.
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. OPENAM-12050 Password error message not specific

          • Major - Major loss of function.
          • Resolved

            Activity

              People

              • Assignee:
                kamal.sivanandam@forgerock.com Kamal Sivanandam
                Reporter:
                david.bate David Bate
              • Votes:
                1 Vote for this issue
                Watchers:
                10 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: