[OPENAM-6867] changePassword REST endpoint is not returning LDAP issues that are related to a user mistake. Created: 16/Sep/15 Updated: 09/Aug/17 Resolved: 07/Jan/16 |
|
| Status: | Resolved |
| Project: | OpenAM |
| Component/s: | rest, XUI |
| Affects Version/s: | 12.0.1, 13.0.0 |
| Fix Version/s: | 12.0.3, 13.0.0 |
| Type: | Bug | Priority: | Major |
| Reporter: | Quentin CASTEL [X] (Inactive) | Assignee: | Quentin CASTEL [X] (Inactive) |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | 13.0.0-Must-Fix, EDISON, release-notes, test-candidate | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||||||||||||||||||
| Sprint: | AM Sustaining Sprint 13, AM Sustaining Sprint 14, AM Sustaining Sprint 15, AM Sustaining Sprint 16 | ||||||||||||||||||||||||||||||||||||
| Epic Link: | Password Policy Rationalization | ||||||||||||||||||||||||||||||||||||
| Support Ticket IDs: | |||||||||||||||||||||||||||||||||||||
| Verified Version/s: | |||||||||||||||||||||||||||||||||||||
| Description |
|
Using the changePassword REST endpoint, via the XUI or the REST service directly, can throw an Internal Server Error: The entry uid=bjensen,ou=people,dc=openam,dc=forgerock,dc=org cannot be modified due to insufficient access rights However, when the error is due to a user mistake, we still have an internal server error. In this case, it will be relevant to return the LDAP error to the user.
You can use this curl command: curl \ --request POST \ --header "iPlanetDirectoryPro: AQIC5wM2LY4SfczOHXUv8Vw4ltNyM86ikW2ipB9RZEA8CRs.*AAJTSQACMDEAAlNLABQtNzMzMDMxMDQ2MDQxNjQ4NzU1NQ..*" \ --header "Content-Type: application/json" \ --data '{ "currentpassword":"wrongpassword", "userpassword":"changeit" }' \ http://openam.example.com:18080/openam/json/users/demo?_action=changePassword Instead of throwing an internal exception: org.forgerock.openam.core.rest.IdentityRestUtils.java public static void changePassword(Context serverContext, String realm, String username, String oldPassword, String newPassword) throws ResourceException { try { SSOToken token = serverContext.asContext(SSOTokenContext.class).getCallerSSOToken(); AMIdentity userIdentity = new AMIdentity(token, username, IdType.USER, realm, null); userIdentity.changePassword(oldPassword, newPassword); } catch (SSOException ssoe) { debug.warning("IdentityRestUtils.changePassword() :: SSOException occurred while changing " + "the password for user: " + username, ssoe); throw new PermanentException(401, "An error occurred while trying to change the password", ssoe); } catch (IdRepoException ire) { if (IdRepoBundle.ACCESS_DENIED.equals(ire.getErrorCode())) { throw new ForbiddenException("The user is not authorized to change the password"); } else { debug.warning("IdentityRestUtils.changePassword() :: IdRepoException occurred while " + "changing the password for user: " + username, ire); throw new InternalServerErrorException("An error occurred while trying to change the password", ire); } } } we should throw a new type of exception that filter the LDAP exception that could be display to the user. |
| Comments |
| Comment by Tim Nicholls [X] (Inactive) [ 23/Sep/15 ] |
|
Not much activity on this ticket. A little help here would be nice... |
| Comment by Jake Feasel [ 25/Sep/15 ] |
|
It is worth checking to see if we can get this endpoint working with the amadmin account, too. |
| Comment by Quentin CASTEL [X] (Inactive) [ 25/Sep/15 ] |
|
Jake Feasel: Can you describe a little bit more your expectation with this endpoint? Admin users are usually interested in resetting passwords (changing password will always require the old password). Maybe |
| Comment by Jake Feasel [ 25/Sep/15 ] |
|
I am mainly trying to find out how amadmin changes/resets/updates (whatever you prefer to call it) their own password via rest. |
| Comment by Scott Heger [ 01/Oct/15 ] |
|
I have a customer who is running into this issue as well. In their case they have a password policy in OpenDJ (their Data Store) that enforces a password history. If an authenticated user attempts to change their password to something in their history it fails and send back the following response:
{"code":500,"reason":"Internal Server Error","message":"An error occurred while trying to change the password"}
This is all done over REST and therefore the REST client where the password change was initiated from doesn't have enough information to tell the user why the password change failed. A more specific message here would be desired. Is there any traction on this issue? |
| Comment by Quentin CASTEL [X] (Inactive) [ 07/Jan/16 ] |
|
OpenAM policy: curl \ --request POST \ --header "iPlanetDirectoryPro: AQIC5wM2LY4Sfcx5UEY100E_Y0sDRVhVcO5-1jfgxpHuFZI.*AAJTSQACMDEAAlNLABM1NDI0NTMxNTIyNzI3MjA0NjYx*" \ --header "Content-Type: application/json" \ --data '{ "currentpassword":"changeit", "userpassword":"chang" }' \ http://openam.example.com:28080/openam/json/users/demo?_action=changePassword
{"code":400,"reason":"Bad Request","message":"Minimum password length is 8."}
I set a DJ min password length to 12. curl \ --request POST \ --header "iPlanetDirectoryPro: AQIC5wM2LY4Sfcx5UEY100E_Y0sDRVhVcO5-1jfgxpHuFZI.*AAJTSQACMDEAAlNLABM1NDI0NTMxNTIyNzI3MjA0NjYx*" \ --header "Content-Type: application/json" \ --data '{ "currentpassword":"changeit", "userpassword":"changit22" }' \ http://openam.example.com:28080/openam/json/users/user.10?_action=changePassword
{"code":400,"reason":"Bad Request","message":"Old password is incorrect."}
curl \ --request POST \ --header "iPlanetDirectoryPro: AQIC5wM2LY4Sfcx5UEY100E_Y0sDRVhVcO5-1jfgxpHuFZI.*AAJTSQACMDEAAlNLABM1NDI0NTMxNTIyNzI3MjA0NjYx*" \ --header "Content-Type: application/json" \ --data '{ "currentpassword":"password", "userpassword":"changit22" }' \ http://openam.example.com:28080/openam/json/users/user.10?_action=changePassword
{"code":400,"reason":"Bad Request","message":"The provided password value was rejected by a password validator: The provided password is shorter than the minimum required length of 12 characters"}
|
| Comment by Richard Hruza [ 11/Jan/16 ] |
|
Was changed behavior for changing password request: curl -X POST -H "iPlanetDirectoryPro: <USER TOKEN>" \ -H "Content-Type: application/json" \ -H "Cache-Control: no-cache" \ -d '{ "currentpassword": "incorrectPassword", "userpassword": "newpassword" }' 'http://riso-centos7.test.forgerock.com:8080/openam/json/users/bjensen?_action=changePassword' Old behavior returns: "code": 401, "reason": "Unauthorized", "message": "Invalid user credentials." New Behavior: "code": 400, "reason": "Bad Request", "message": "Old password is incorrect." This case should be mentioned into release notes. |
| Comment by Quentin CASTEL [X] (Inactive) [ 27/Jan/16 ] |
|
8074 is a use-case not handle by this fix. There is a good chance you are also interested by this one as well. |
| Comment by Richard Hruza [ 02/May/16 ] |
|
Verified with: OpenAM 12.0.3-RC2 Build 4dbe218a05 (2016-April-25 17:57) Results:Old Behavior "code": 500, "reason": "Internal Server Error", "message": "An error occurred while trying to change the password" Short Password "code": 400, "reason": "Bad Request", "message": "Minimum password length is 8." Inccoret old password "code": 400, "reason": "Bad Request", "message": "Old password is incorrect." |