[OPENAM-3877] Changing password through new REST endpoint fails if default AuthN chain needs more than just the password to authenticate Created: 16/Apr/14 Updated: 20/Nov/16 Resolved: 11/Feb/15
|Fix Version/s:||11.0.3, 12.0.1, 13.0.0|
|Reporter:||Nathalie Hoet||Assignee:||Peter Major [X] (Inactive)|
|Original Estimate:||Not Specified|
|Sprint:||Sprint 76 - Sustaining|
|Epic Link:||Password Policy Rationalization|
|Support Ticket IDs:|
When changing password through the new REST interface, the IdentityResource#checkValidPassword method tries to authenticate the user in the realm (using the default chain for the realm), but does not have access to the AuthN context. If the authentication needs anything else than the username/oldpassword (e.g. historical IP address in adaptive risk module), the authentication fails and the password can not be changed.
|Comment by Peter Major [X] (Inactive) [ 12/Oct/14 ]|
For 12.0.0 this appears to be difficult to fix unfortunately, because a completely new feature, AME-2812, started to rely on validating passwords...
|Comment by Sam Drew [ 12/Nov/14 ]|
If there is a low-risk way to implement this it can be included in OpenAM 12
|Comment by Peter Major [X] (Inactive) [ 11/Feb/15 ]|
Fixed in 11.0.3 with R12462
|Comment by Peter Major [X] (Inactive) [ 17/Mar/15 ]|
Ported to 12.0.1 and 13.0.0 with R13034 and R13042