[OPENAM-3877] Changing password through new REST endpoint fails if default AuthN chain needs more than just the password to authenticate Created: 16/Apr/14  Updated: 20/Nov/16  Resolved: 11/Feb/15

Status: Resolved
Project: OpenAM
Component/s: rest
Affects Version/s: 11.0.0
Fix Version/s: 11.0.3, 12.0.1, 13.0.0

Type: Bug Priority: Major
Reporter: Nathalie Hoet Assignee: Peter Major [X] (Inactive)
Resolution: Fixed Votes: 0
Labels: EDISON, release-notes
Remaining Estimate: 0h
Time Spent: 3h
Original Estimate: Not Specified

CentOS 6.4

Issue Links:
is duplicated by OPENAM-5557 XUI fails on password change with WDS... Resolved
relates to OPENAM-5562 Users can't change password via XUI/R... Resolved
relates to OPENAM-6867 changePassword REST endpoint is not r... Resolved
relates to OPENAM-5159 Request to improve REST forgotPasswor... Resolved
Target Version/s:
Sprint: Sprint 76 - Sustaining
Epic Link: Password Policy Rationalization
Support Ticket IDs:


When changing password through the new REST interface, the IdentityResource#checkValidPassword method tries to authenticate the user in the realm (using the default chain for the realm), but does not have access to the AuthN context. If the authentication needs anything else than the username/oldpassword (e.g. historical IP address in adaptive risk module), the authentication fails and the password can not be changed.

Comment by Peter Major [X] (Inactive) [ 12/Oct/14 ]

For 12.0.0 this appears to be difficult to fix unfortunately, because a completely new feature, AME-2812, started to rely on validating passwords...

Comment by Sam Drew [ 12/Nov/14 ]

If there is a low-risk way to implement this it can be included in OpenAM 12

Comment by Peter Major [X] (Inactive) [ 11/Feb/15 ]

Fixed in 11.0.3 with R12462

Comment by Peter Major [X] (Inactive) [ 17/Mar/15 ]

Ported to 12.0.1 and 13.0.0 with R13034 and R13042

Generated at Mon Jan 25 05:15:26 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.