[OPENAM-5557] XUI fails on password change with WDSSO enabled Created: 17/Feb/15  Updated: 17/Feb/15  Resolved: 17/Feb/15

Status: Resolved
Project: OpenAM
Component/s: XUI
Affects Version/s: 12.0.0
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Jörg Delker [X] (Inactive) Assignee: Peter Major [X] (Inactive)
Resolution: Duplicate Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
duplicates OPENAM-3877 Changing password through new REST en... Resolved
Rank: 1|hzp5gf:

 Description   

The XUI profile page fails on changing the users password when the default authentication chains has been configured for WDSSO.
When trying to change the password, XUI responds with a "invalid password" message, although the password is correct.

The auth chains is configured like this:
1. WDSSO as SUFFICIENT
2. Datastore (against external OpenDJ) as REQUIRED

The chain is working properly with normal authentication on secured services.
Users with valid Kerberos tickets are authenticated automatically, others provide user/password in the XUI login prompt.

Steps to reproduce:
1. Setup WDSSO authentication against AD (see auth chain above)
2. Enable XUI
3. Verify that authentication without Kerberos is working properly for a chosen user via the login prompt. Remember the password.
You should now be located in the XUI profile screen (.../openam/XUI/#profile/).
4. Hit the change password link and provide old & new credentials for the user.
5. Submit the form and note the error message about an "invalid user or password".

This is reproducable as soon as the WDSSO module is put in the chain.

 Comments   
Comment by Jörg Delker [X] (Inactive) [ 17/Feb/15 ]

This seems to be an REST issue.
When WDSSO is enabled, authentication against REST is not possible anymore:

curl --request POST \
--header "Content-Type: application/json" \
--header "X-OpenAM-Username: test" \
--header "X-OpenAM-Password: mypassword" \
--data "{}" \
"https://openam.host:443/openam/json/authenticate"

{"failure":true,"reason":"http-auth-failed","authId":"eyAidHlwIjogIkpXVCIsICJhbGciOiAiSFMyNTYiIH0.eyAib3RrIjogImM3cmVyM3JpNjdib2x1NTJ1OW9xMHBzcDZvIiwgInJlYWxtIjogImRjPW9wZW5hbSxkYz10d2luc2VjLGRjPWRlIiwgInNlc3Npb25JZCI6ICJBUUlDNXdNMkxZNFNmY3pfcHQxeFQ3VFI2cTkxSW9FMEwzdi1oaEtpbnFUMmJPUS4qQUFKVFNRQUNNRElBQWxOTEFCTTFPRE13TkRjeU1USXhNRGMwTmpjd016Y3pBQUpUTVFBQ01ERS4qIiB9.QdhZyccp18wxfDLmbfQpjzipmcOEG6sOQfjRTOMlnCM"}
Generated at Wed Mar 03 21:17:44 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.