[OPENAM-9009] When using REST endpoint "json/users/?_action=create" with password policy violation, AM returns HTTP 400 "bad request", reason "Bad Request" , Message "Bad Request" rather than a more meaningful error message Created: 02/Jun/16  Updated: 02/Jul/20  Resolved: 09/Apr/17

Status: Resolved
Project: OpenAM
Component/s: rest
Affects Version/s: 13.0.0
Fix Version/s: 13.5.1, 14.5.0, 14.1.2

Type: New Feature Priority: Major
Reporter: David Bate Assignee: Kamal Sivanandam
Resolution: Fixed Votes: 1
Labels: EDISON
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
is duplicated by OPENAM-9860 Creating a user via json/users that d... Resolved
is duplicated by OPENAM-11922 Error code(500) is returning when upd... Closed
Relates
relates to OPENAM-9459 500 Internal Server Error from change... Resolved
relates to OPENAM-16402 The passwordpolicy.allowDiagnosticMes... Closed
relates to OPENAM-12050 Password error message not specific Resolved
is related to OPENAM-11428 When using REST endpoint "json/users/... Resolved
Target Version/s:
Rank: 1|hzt0jb:
Sprint: AM Sustaining Sprint 31, AM Sustaining Sprint 32, AM Sustaining Sprint 33, AM Sustaining Sprint 34, AM Sustaining Sprint 35, AM Sustaining Sprint 36, AM Sustaining Sprint 37
Story Points: 5
Support Ticket IDs:
Verified Version/s:

 Description   

When setting Password Constraints on OpenDJ. I set for passwords to be validated against dictionary.

In AM 11, the Rest API would report back an "ldap exception 19" now it reports back 400/bad request in AM 13

This is what OpenAM 13 shows from the client:

curl --request POST --header "am13iPlanetDirectoryPro: AQIC5wM2LY4SfcxLhGRcgPzBxCP8Go1Cqa5lQz8WI7QDy9s.*AAJTSQACMDEAAlNLABQtMjg1Mjc4ODY1NDUxNzc2NDE1MgACUzEAAA..*" --header "Content-Type: application/json" --data '{ "username": "bjensen", "userpassword": "secret12", "mail": "bjensen@example.com"}' http://openam.example.com:1300/openam/json/dj/users/?_action=create
{"code":400,"reason":"Bad Request","message":"Bad Request"}

IdRepo logs show the true meaning behind the error: "The password value for attribute userPassword was found to be unacceptable: The provided password contained a word from the server's dictionary"


DJLDAPv3Repo:05/27/2016 05:55:52:032 PM PDT: Thread[http-bio-1300-exec-6,5,main]: TransactionId[81d59535-2fc0-4dc0-8a19-3b4fe2d6e9fe-1013]
ERROR: Unable to add a new entry: bjensen attrMap: {uid=[bjensen], sn=[bjensen], mail=[bjensen@example.com], cn=[bjensen], inetuserstatus=[Active], userpassword=xxx..., objectclass=[devicePrintProfilesContainer, person, sunIdentityServerLibertyPPService, inetorgperson, sunFederationManagerDataStore, oathDeviceProfilesContainer, iPlanetPreferences, iplanet-am-auth-configuration-service, sunFMSAML2NameIdentifier, organizationalperson, inetuser, kbaInfoContainer, forgerock-am-dashboard-service, iplanet-am-managed-person, iplanet-am-user-service, sunAMAuthAccountLockout, top]}
org.forgerock.opendj.ldap.ConstraintViolationException: Constraint Violation: The password value for attribute userPassword was found to be unacceptable: The provided password contained a word from the server's dictionary
	at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:176)
	at org.forgerock.opendj.ldap.spi.ResultLdapPromiseImpl.setResultOrError(ResultLdapPromiseImpl.java:142)
	at org.forgerock.opendj.grizzly.LDAPClientFilter$ClientResponseHandler.addResult(LDAPClientFilter.java:126)
	at org.forgerock.opendj.io.LDAPReader.readAddResult(LDAPReader.java:173)
	at org.forgerock.opendj.io.LDAPReader.readProtocolOp(LDAPReader.java:571)
	at org.forgerock.opendj.io.LDAPReader.readMessage(LDAPReader.java:132)
	at org.forgerock.opendj.grizzly.LDAPBaseFilter.handleRead(LDAPBaseFilter.java:82)
	at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
	at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:283)
	at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:200)
	at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:132)
	at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:111)
	at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
	at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:536)
	at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:112)
	at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:117)
	at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:56)
	at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:137)
	at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:591)
	at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:571)
	at java.lang.Thread.run(Thread.java:745)

amIdm:05/27/2016 05:55:52:033 PM PDT: Thread[http-bio-1300-exec-6,5,main]: TransactionId[81d59535-2fc0-4dc0-8a19-3b4fe2d6e9fe-1013]
ERROR: IdServicesImpl.create: Create: Fatal Exception
Message:Plug-in org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo encountered an ldap exception 19: The password value for attribute userPassword was found to be unacceptable: The provided password contained a word from the server's dictionary

	at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.handleErrorResult(DJLDAPv3Repo.java:2480)
	at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.create(DJLDAPv3Repo.java:682)
	at com.sun.identity.idm.server.IdServicesImpl.create(IdServicesImpl.java:450)
	at com.sun.identity.idm.AMIdentityRepository.createIdentity(AMIdentityRepository.java:462)
	at com.sun.identity.idsvcs.opensso.IdentityServicesImpl.create(IdentityServicesImpl.java:158)
	at org.forgerock.openam.core.rest.IdentityResourceV2.attemptResourceCreation(IdentityResourceV2.java:1192)
	at org.forgerock.openam.core.rest.IdentityResourceV2.createInstance(IdentityResourceV2.java:1159)
	at org.forgerock.openam.core.rest.IdentityResourceV3.createInstance(IdentityResourceV3.java:161)
	at org.forgerock.json.resource.InterfaceCollectionHandler.handleCreate(InterfaceCollectionHandler.java:40)
	at org.forgerock.json.resource.Router.handleCreate(Router.java:255)
	at org.forgerock.json.resource.Router.handleCreate(Router.java:255)
	at org.forgerock.json.resource.FilterChain$Cursor.handleCreate(FilterChain.java:69)
	at org.forgerock.openam.rest.fluent.AuditFilter.filterCreate(AuditFilter.java:110)
	at org.forgerock.openam.rest.fluent.AuditFilterWrapper.filterCreate(AuditFilterWrapper.java:66)
	at org.forgerock.json.resource.FilterChain$Cursor.handleCreate(FilterChain.java:67)
	at org.forgerock.openam.rest.fluent.CrestLoggingFilter.filterCreate(CrestLoggingFilter.java:92)
	at org.forgerock.json.resource.FilterChain$Cursor.handleCreate(FilterChain.java:67)
	at org.forgerock.openam.rest.ContextFilter.filterCreate(ContextFilter.java:63)
	at org.forgerock.json.resource.FilterChain$Cursor.handleCreate(FilterChain.java:67)
	at org.forgerock.openam.rest.AuthenticationEnforcer.filterCreate(AuthenticationEnforcer.java:146)
	at org.forgerock.json.resource.FilterChain$Cursor.handleCreate(FilterChain.java:67)
	at org.forgerock.json.resource.FilterChain.handleCreate(FilterChain.java:213)
	at org.forgerock.json.resource.Router.handleCreate(Router.java:255)
	at org.forgerock.json.resource.FilterChain$Cursor.handleCreate(FilterChain.java:69)
	at org.forgerock.openam.rest.ContextFilter.filterCreate(ContextFilter.java:63)
	at org.forgerock.json.resource.FilterChain$Cursor.handleCreate(FilterChain.java:67)
	at org.forgerock.json.resource.FilterChain.handleCreate(FilterChain.java:213)
	at org.forgerock.json.resource.InternalConnection.createAsync(InternalConnection.java:44)
	at org.forgerock.json.resource.http.RequestRunner.visitCreateRequest(RequestRunner.java:160)
	at org.forgerock.json.resource.http.RequestRunner.visitCreateRequest(RequestRunner.java:73)
	at org.forgerock.json.resource.Requests$CreateRequestImpl.accept(Requests.java:258)
	at org.forgerock.json.resource.http.RequestRunner.handleResult(RequestRunner.java:119)
	at org.forgerock.json.resource.http.HttpAdapter$2.apply(HttpAdapter.java:566)
	at org.forgerock.json.resource.http.HttpAdapter$2.apply(HttpAdapter.java:563)
	at org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:221)
	at org.forgerock.json.resource.http.HttpAdapter.doRequest(HttpAdapter.java:562)
	at org.forgerock.json.resource.http.HttpAdapter.doCreate(HttpAdapter.java:432)
	at org.forgerock.json.resource.http.HttpAdapter.handle(HttpAdapter.java:161)
	at org.forgerock.http.handler.Chain.handle(Chain.java:57)
	at org.forgerock.http.filter.OptionsFilter.filter(OptionsFilter.java:77)
	at org.forgerock.http.handler.Chain.handle(Chain.java:55)
	at org.forgerock.http.handler.Chain.handle(Chain.java:57)
	at org.forgerock.openam.rest.CrestProtocolEnforcementFilter.filter(CrestProtocolEnforcementFilter.java:61)
	at org.forgerock.http.handler.Chain.handle(Chain.java:55)
	at org.forgerock.http.routing.Router.handle(Router.java:92)
	at org.forgerock.http.handler.Chain.handle(Chain.java:57)
	at org.forgerock.openam.rest.RealmContextFilter.filter(RealmContextFilter.java:84)
	at org.forgerock.http.handler.Chain.handle(Chain.java:55)
	at org.forgerock.http.routing.Router.handle(Router.java:92)
	at org.forgerock.http.handler.Chain.handle(Chain.java:57)
	at org.forgerock.http.routing.ResourceApiVersionRoutingFilter.filter(ResourceApiVersionRoutingFilter.java:64)
	at org.forgerock.http.handler.Chain.handle(Chain.java:55)
	at org.forgerock.caf.authentication.framework.AuthenticationFramework.grantAccess(AuthenticationFramework.java:220)
	at org.forgerock.caf.authentication.framework.AuthenticationFramework.access$400(AuthenticationFramework.java:65)
	at org.forgerock.caf.authentication.framework.AuthenticationFramework$3.apply(AuthenticationFramework.java:212)
	at org.forgerock.caf.authentication.framework.AuthenticationFramework$3.apply(AuthenticationFramework.java:205)
	at org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:221)
	at org.forgerock.caf.authentication.framework.AuthenticationFramework.validateRequest(AuthenticationFramework.java:168)
	at org.forgerock.caf.authentication.framework.AuthenticationFramework.access$100(AuthenticationFramework.java:65)
	at org.forgerock.caf.authentication.framework.AuthenticationFramework$1.apply(AuthenticationFramework.java:155)
	at org.forgerock.caf.authentication.framework.AuthenticationFramework$1.apply(AuthenticationFramework.java:152)
	at org.forgerock.util.promise.PromiseImpl$7.handleStateChange(PromiseImpl.java:445)
	at org.forgerock.util.promise.PromiseImpl.handleCompletion(PromiseImpl.java:521)
	at org.forgerock.util.promise.PromiseImpl.addOrFireListener(PromiseImpl.java:509)
	at org.forgerock.util.promise.PromiseImpl.thenAsync(PromiseImpl.java:438)
	at org.forgerock.caf.authentication.framework.AuthenticationFramework.processMessage(AuthenticationFramework.java:146)
	at org.forgerock.caf.authentication.framework.AuthenticationFilter.filter(AuthenticationFilter.java:96)
	at org.forgerock.http.handler.Chain.handle(Chain.java:55)
	at org.forgerock.openam.http.HandlerProvider.handle(HandlerProvider.java:50)
	at org.forgerock.openam.http.HttpRoute$3.handle(HttpRoute.java:142)
	at org.forgerock.http.routing.Router.handle(Router.java:92)
	at org.forgerock.http.handler.Chain.handle(Chain.java:57)
	at org.forgerock.http.filter.TransactionIdInboundFilter.filter(TransactionIdInboundFilter.java:60)
	at org.forgerock.http.handler.Chain.handle(Chain.java:55)
	at org.forgerock.http.servlet.HttpFrameworkServlet.service(HttpFrameworkServlet.java:222)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:106)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:51)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)
	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:313)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
	at java.lang.Thread.run(Thread.java:745)
DJ Access logs are showing:
[27/May/2016:17:55:51 -0700] ADD REQ conn=1 op=217 msgID=218 dn="uid=bjensen,ou=people,dc=example,dc=com"
[27/May/2016:17:55:51 -0700] ADD RES conn=1 op=217 msgID=218 result=19 message="The password value for attribute userPassword was found to be unacceptable: The provided password contained a word from the server's dictionary" etime=1
[27/May/2016:17:55:53 -0700] SEARCH REQ conn=2 op=212 msgID=213 base="" scope=base filter="(objectClass=*)" attrs="1.1"
[27/May/2016:17:55:53 -0700] SEARCH RES conn=2 op=212 msgID=213 result=0 nentries=1 etime=0


 Comments   
Comment by Philip Anderson [ 25/May/17 ]

verified on 13.5.1-RC3 

Output of test running first against 13.5.0 and then 13.5.1:

philipanderson@Sysadmins-MacBook-Pro-2 ~/Scripts$ ./verifiedBugs/OPENAM-9009.sh
send invalid password request (too short)
{"code":404,"reason":"Not Found","message":"Minimum password length is 8."}
send invalid password request (dictonary word)
{"code":400,"reason":"Bad Request","message":"Bad Request"}

# Changed config to point at 13.5.1

philipanderson@Sysadmins-MacBook-Pro-2 ~/Scripts$ ./verifiedBugs/OPENAM-9009.sh
send invalid password request (too short)
{"code":400,"reason":"Bad Request","message":"Minimum password length is 8."}
send invalid password request (dictonary word)
{"code":400,"reason":"Bad Request","message":"The password did not meet the password policy requirements."}
Comment by C-Weng C [ 21/Jul/17 ]

When Behera is not set then the issue is not fixed. So OPENAM-11428 is the one

Comment by Ľubomír Mlích [ 12/Oct/17 ]

Verified in OpenAM 14.1.2-M1 Build ec49e2d3c5 (2017-October-03 13:59)

Generated at Wed Mar 03 02:40:48 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.