[midPoint] BadCredentials for reset password link
Oleksandr Nekriach
o.nekriach at dynatech.lv
Wed Feb 21 12:39:24 CET 2018
Hi,
Yes, It is a bug. The new 3.7 version also contains this bug. The bug
effects on Forgot password procedure via MozillaFirefox and Safari
browser
To reproduce the bug you should to do next:
1. Import form for Password reset (in attach)
2. Setup Reset password functionality (see below)
3. Navigate to Forgot password page
https://idm.example.com/midpoint/forgotpassword
4. Fill the username
5. Mandatory press the Enter buton on keyboard (you will see some page jitter)
6. Click on Reset password button (if you hit enter more then one time
you will see
500 Internal Server Error
Unexpected error occurred, if necessary please contact system administrator.
2/21/18 1:24 PM org.apache.wicket.WicketRuntimeException: Method
onRequest of interface org.apache.wicket.behavior.IBehaviorListener
targeted at org.apache.wicket.ajax.markup.html.form.AjaxSubmitLink$1 at 1ade420b
on component [AjaxSubmitButton [Component id = submitButton]] threw an
exception
)
7. Receive password reset link on your email box.
8. Follow on link and ensure that idm generate broken token for
password reset link. You will see
<nonce>
<maxAge>PT10M</maxAge>
<lockoutMaxFailedAttempts>15</lockoutMaxFailedAttempts>
<lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration>
<lockoutDuration>PT15M</lockoutDuration>
<valuePolicyRef oid="00000004-0000-0000-0000-000000000001"
relation="org:default"
type="c:ValuePolicyType"><!-- Password Policy
for password reset --></valuePolicyRef>
<name>mailNonce</name>
</nonce>
</credentials>
<credentialsReset>
<mailReset>
<name>Reset password using mail</name>
<additionalAuthenticationName>confirmationLink</additionalAuthenticationName>
<formRef oid="bb42fa87-b066-48a0-a444-c77fc8b53444"
relation="org:default"
type="c:FormType"><!-- Reset password form by
Username --></formRef>
</mailReset>
</credentialsReset>
On 13 February 2018 at 17:15, Oleksandr Nekriach <o.nekriach at dynatech.lv> wrote:
> Hi guys,
> I have faced with abnormal behaviour Midpoint during password reset
> procedure. Time to time reset password links that are sended to users
> during "Forgot password" procedure are invalid. I see in logs this
> error
>
> 2018-02-13 09:45:12,115 [] [http-nio-127.0.0.1-8080-exec-1] ERROR
> (com.evolveum.midpoint.web.page.login.PageRegistrationConfirmation):
> web.security.provider.invalid, reason: web.security.provider.invalid
> (class org.springframework.security.authentication.BadCredentialsException)
>
> If I repeat "Forgot password" procedure next time a reset password
> link will be valid and I will be able to set new password.
>
> Who faced such problem tell me please how to solve it.
>
> I have cluster installation of Midpoint version 3.6.1
>
>
> --
> Best regards,
>
> Oleksandr Nekriach | Identity and access management engineer
>
> Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia
>
> +37125314685
> ,
> o.nekriach at dynatech.lv
> |
> www.dynatech.lv
>
>
>
>
> Stay connected:
>
>
> Confidentiality Notice: This message contains confidential information
> and is intended only for the named recipient(s). If you are not the
> addressee you may not copy, distribute or perform any other activities
> with this information. If you have received this transmission in
> error, please notify us by e-mail immediately. E-mail transmission
> cannot be guaranteed to be secure or error-free as information could
> be intercepted, corrupted, lost, destroyed, arrive late or incomplete,
> or contain viruses.
--
Best regards,
Oleksandr Nekriach | Identity and access management engineer
Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia
+37125314685
,
o.nekriach at dynatech.lv
|
www.dynatech.lv
Stay connected:
Confidentiality Notice: This message contains confidential information
and is intended only for the named recipient(s). If you are not the
addressee you may not copy, distribute or perform any other activities
with this information. If you have received this transmission in
error, please notify us by e-mail immediately. E-mail transmission
cannot be guaranteed to be secure or error-free as information could
be intercepted, corrupted, lost, destroyed, arrive late or incomplete,
or contain viruses.
-------------- next part --------------
2018-02-21 12:59:48,356 [] [http-nio-127.0.0.1-8080-exec-4] WARN (com.evolveum.midpoint.web.page.error.PageError): Creating error page for code org.apache.wicket.WicketRuntimeException, exception Method onRequest of interface org.apache.wicket.behavior.IBehaviorListener targeted at org.apache.wicket.ajax.markup.html.form.AjaxSubmitLink$1 at 4401533f on component [AjaxSubmitButton [Component id = submitButton]] threw an exception: {}
org.apache.wicket.WicketRuntimeException: Method onRequest of interface org.apache.wicket.behavior.IBehaviorListener targeted at org.apache.wicket.ajax.markup.html.form.AjaxSubmitLink$1 at 4401533f on component [AjaxSubmitButton [Component id = submitButton]] threw an exception
at org.apache.wicket.RequestListenerInterface.internalInvoke(RequestListenerInterface.java:268) ~[wicket-core-7.6.0.jar:7.6.0]
at org.apache.wicket.RequestListenerInterface.invoke(RequestListenerInterface.java:241) ~[wicket-core-7.6.0.jar:7.6.0]
at org.apache.wicket.core.request.handler.ListenerInterfaceRequestHandler.invokeListener(ListenerInterfaceRequestHandler.java:248) ~[wicket-core-7.6.0.jar:7.6.0]
at org.apache.wicket.core.request.handler.ListenerInterfaceRequestHandler.respond(ListenerInterfaceRequestHandler.java:234) ~[wicket-core-7.6.0.jar:7.6.0]
at org.apache.wicket.request.cycle.RequestCycle$HandlerExecutor.respond(RequestCycle.java:895) ~[wicket-core-7.6.0.jar:7.6.0]
at org.apache.wicket.request.RequestHandlerStack.execute(RequestHandlerStack.java:64) ~[wicket-request-7.6.0.jar:7.6.0]
at org.apache.wicket.request.cycle.RequestCycle.execute(RequestCycle.java:265) [wicket-core-7.6.0.jar:7.6.0]
at org.apache.wicket.request.cycle.RequestCycle.processRequest(RequestCycle.java:222) [wicket-core-7.6.0.jar:7.6.0]
at org.apache.wicket.request.cycle.RequestCycle.processRequestAndDetach(RequestCycle.java:293) [wicket-core-7.6.0.jar:7.6.0]
at org.apache.wicket.protocol.http.WicketFilter.processRequestCycle(WicketFilter.java:261) [wicket-core-7.6.0.jar:7.6.0]
at org.apache.wicket.protocol.http.WicketFilter.processRequest(WicketFilter.java:203) [wicket-core-7.6.0.jar:7.6.0]
at org.apache.wicket.protocol.http.WicketFilter.doFilter(WicketFilter.java:284) [wicket-core-7.6.0.jar:7.6.0]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.23]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.23]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:317) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:127) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:115) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:112) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:169) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:158) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.5.RELEASE.jar:4.2.5.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:206) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:121) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.5.RELEASE.jar:4.2.5.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.security.web.session.ConcurrentSessionFilter.doFilter(ConcurrentSessionFilter.java:134) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:106) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) [spring-web-4.2.5.RELEASE.jar:4.2.5.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262) [spring-web-4.2.5.RELEASE.jar:4.2.5.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.23]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.23]
at com.evolveum.midpoint.web.util.MidPointProfilingServletFilter.doFilter(MidPointProfilingServletFilter.java:86) [classes/:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.23]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.23]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) [catalina.jar:8.5.23]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [catalina.jar:8.5.23]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478) [catalina.jar:8.5.23]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) [catalina.jar:8.5.23]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) [catalina.jar:8.5.23]
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650) [catalina.jar:8.5.23]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) [catalina.jar:8.5.23]
at org.apache.catalina.ha.session.JvmRouteBinderValve.invoke(JvmRouteBinderValve.java:193) [catalina-ha.jar:8.5.23]
at org.apache.catalina.ha.tcp.ReplicationValve.invoke(ReplicationValve.java:322) [catalina-ha.jar:8.5.23]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) [catalina.jar:8.5.23]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803) [tomcat-coyote.jar:8.5.23]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-coyote.jar:8.5.23]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868) [tomcat-coyote.jar:8.5.23]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459) [tomcat-coyote.jar:8.5.23]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-coyote.jar:8.5.23]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_151]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_151]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:8.5.23]
at java.lang.Thread.run(Thread.java:748) [na:1.8.0_151]
Caused by: java.lang.reflect.InvocationTargetException: null
at sun.reflect.GeneratedMethodAccessor637.invoke(Unknown Source) ~[na:na]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_151]
at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_151]
at org.apache.wicket.RequestListenerInterface.internalInvoke(RequestListenerInterface.java:258) ~[wicket-core-7.6.0.jar:7.6.0]
... 69 common frames omitted
Caused by: java.lang.IllegalStateException: No prism context in ObjectDelta(UserType:null,ADD: user:null(v.dobroskokins))
at com.evolveum.midpoint.prism.delta.ObjectDelta.checkConsistence(ObjectDelta.java:1337) ~[prism-3.6.1.jar:na]
at com.evolveum.midpoint.web.component.prism.ObjectWrapper.createAddingObjectDelta(ObjectWrapper.java:479) ~[classes/:na]
at com.evolveum.midpoint.web.component.prism.ObjectWrapper.getObjectDelta(ObjectWrapper.java:338) ~[classes/:na]
at com.evolveum.midpoint.web.component.prism.DynamicFormPanel.getObject(DynamicFormPanel.java:157) ~[classes/:na]
at com.evolveum.midpoint.web.page.forgetpassword.PageForgotPassword.createDynamicFormQuery(PageForgotPassword.java:335) ~[classes/:na]
at com.evolveum.midpoint.web.page.forgetpassword.PageForgotPassword.searchUser(PageForgotPassword.java:316) ~[classes/:na]
at com.evolveum.midpoint.web.page.forgetpassword.PageForgotPassword.processResetPassword(PageForgotPassword.java:271) ~[classes/:na]
at com.evolveum.midpoint.web.page.forgetpassword.PageForgotPassword.access$200(PageForgotPassword.java:72) ~[classes/:na]
at com.evolveum.midpoint.web.page.forgetpassword.PageForgotPassword$6.onSubmit(PageForgotPassword.java:223) ~[classes/:na]
at org.apache.wicket.ajax.markup.html.form.AjaxSubmitLink$1.onSubmit(AjaxSubmitLink.java:111) ~[wicket-core-7.6.0.jar:7.6.0]
at org.apache.wicket.ajax.form.AjaxFormSubmitBehavior$AjaxFormSubmitter.onSubmit(AjaxFormSubmitBehavior.java:215) ~[wicket-core-7.6.0.jar:7.6.0]
at org.apache.wicket.markup.html.form.Form.delegateSubmit(Form.java:1309) ~[wicket-core-7.6.0.jar:7.6.0]
at org.apache.wicket.markup.html.form.Form.process(Form.java:976) ~[wicket-core-7.6.0.jar:7.6.0]
at org.apache.wicket.markup.html.form.Form.onFormSubmitted(Form.java:797) ~[wicket-core-7.6.0.jar:7.6.0]
at org.apache.wicket.ajax.form.AjaxFormSubmitBehavior.onEvent(AjaxFormSubmitBehavior.java:171) ~[wicket-core-7.6.0.jar:7.6.0]
at org.apache.wicket.ajax.AjaxEventBehavior.respond(AjaxEventBehavior.java:155) ~[wicket-core-7.6.0.jar:7.6.0]
at org.apache.wicket.ajax.AbstractDefaultAjaxBehavior.onRequest(AbstractDefaultAjaxBehavior.java:601) ~[wicket-core-7.6.0.jar:7.6.0]
... 73 common frames omitted
2018-02-21 13:00:07,275 [] [http-nio-127.0.0.1-8080-exec-3] INFO (com.evolveum.midpoint.notifications.impl.api.transports.MailTransport): Message sent successfully to [v.dobroskokins at dyninno.com] via server smtp.dyninno.com.
2018-02-21 13:00:20,126 [] [http-nio-127.0.0.1-8080-exec-8] ERROR (com.evolveum.midpoint.web.page.login.PageRegistrationConfirmation): web.security.provider.invalid, reason: web.security.provider.invalid (class org.springframework.security.authentication.BadCredentialsException)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ExportedData_FormType_1519212927829.xml
Type: text/xml
Size: 1830 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180221/1d702e09/attachment.xml>
More information about the midPoint
mailing list