[midPoint] Trouble with Password Mail Reset
Brad Firestone
bhotrock at gmail.com
Sat Jun 1 05:09:11 CEST 2019
Thank you Pavol!
It looks like these changes in the 3.9 support branch have probably
resolved the issue. This is my first time to try and build from source
and I couldn't figure out how to apply the new WAR files into my current
3.9 install. So I just dropped the WAR file into a different Tomcat
server. Loaded my config files in to the new install and the password
reset via email worked correctly.
Is there any way to just take the changed files that you referenced in
your commit and add them/edit them in my current 3.9 standalone
installation? That would save having to re-import thousands of Users.
If not, I'll just need to learn more about building from source. :-)
Thank you for fixing this issue and pointing me in the right direction!!
Brad
Pavol Mederly wrote on 5/25/19 4:25 AM:
>
> Hello Brad,
>
> last year I had to fix a (maybe) related issue in password security
> questions reset mechanism:
> https://github.com/Evolveum/midpoint/commit/658e09cbd0ba906f6eb9f12e27f4ac64829c3df9.
> Maybe you could try to download and use the current code in
> support-3.9 branch; there's a slight chance the fix will help also in
> your case.
>
> Best regards,
>
> Pavol Mederly
> Software developer
> evolveum.com
> On 24.05.2019 21:29, Brad Firestone wrote:
>> Hi All,
>>
>> I'm trying to setup password reset using email on a new system
>> (3.9). I've copied files from a working system (3.8), and also
>> compared them with the samples. I will include my configs below.
>>
>> Clicking "Forgot Password" displays the correct form to enter the
>> email address. Submitting shows success and I receive the email with
>> a link. Clicking the link opens a browser window that displays the
>> regular login screen, not the password page as would be expected.
>>
>> The link looks like this (email address changed):
>> https://id.example.com/confirm/reset?user=test@example.com&token=7135096842
>>
>> The log shows:
>> DEBUG (com.evolveum.midpoint.security.api.SecurityUtil): Denied
>> access to FilterInvocation: URL: /self/dashboard by anonymousUser :
>> Not logged in
>>
>> I don't have any idea why the nonce token isn't authenticating
>> correctly. If anyone has any ideas, I'd appreciate it.
>> Thanks!
>> Brad
>>
>> Global Security Policy:
>> <securityPolicy oid="ae102ac0-735c-11e9-b544-871134a1b753"
>> xmlns='http://midpoint.evolveum.com/xml/ns/public/common/common-3'>
>> <name>Our Global Security Policy</name>
>> <authentication>
>> <mailAuthentication>
>> <name>confirmationLink</name>
>> <displayName>Additional mail authnetication</displayName>
>> <mailNonce>mailNonce</mailNonce>
>> </mailAuthentication>
>> </authentication>
>> <credentials>
>> <password>
>> <maxAge>P1000D</maxAge>
>> <lockoutMaxFailedAttempts>5</lockoutMaxFailedAttempts>
>> <lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration>
>> <lockoutDuration>PT15M</lockoutDuration>
>> <historyLength>1</historyLength>
>> <valuePolicyRef
>> oid="af1ad05a-735c-11e9-a5f1-8b992d7b3048"
>> type="ValuePolicyType"></valuePolicyRef>
>> <propagationUserControl>mapping</propagationUserControl>
>> </password>
>> <nonce>
>> <maxAge>PT2H</maxAge>
>> <name>mailNonce</name>
>> <valuePolicyRef
>> oid="b67275c4-735c-11e9-aa36-335e84f81ac6"
>> type="ValuePolicyType"></valuePolicyRef>
>> </nonce>
>> </credentials>
>> <credentialsReset>
>> <mailReset>
>> <name>Reset password using mail</name>
>> <additionalAuthenticationName>confirmationLink</additionalAuthenticationName>
>> </mailReset>
>> </credentialsReset>
>> </securityPolicy>
>>
>> Nonce Value Policy:
>> <valuePolicy oid="b67275c4-735c-11e9-aa36-335e84f81ac6"
>>
>> xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
>> <name>Nonce Value Policy</name>
>> <description>Value policy for mail-based password reset
>> nonce</description>
>> <stringPolicy>
>> <limitations>
>> <minLength>10</minLength>
>> <limit>
>> <description>Numbers</description>
>> <minOccurs>10</minOccurs>
>> <maxOccurs>10</maxOccurs>
>> <mustBeFirst>false</mustBeFirst>
>> <characterClass>
>> <value>1234567890</value>
>> </characterClass>
>> </limit>
>> </limitations>
>> </stringPolicy>
>> </valuePolicy>
>>
>> System Config - Password notifier:
>> <passwordResetNotifier>
>> <recipientExpression>
>> <script>
>> <code>return requestee.getEmailAddress()</code>
>> </script>
>> </recipientExpression>
>> <bodyExpression>
>> <script>
>> <code>
>>
>> import
>> com.evolveum.midpoint.notifications.api.events.ModelEvent
>> modelEvent = (ModelEvent) event
>> newUser = modelEvent.getFocusContext().getObjectNew();
>> userType = newUser.asObjectable();
>>
>> link = midpoint.createPasswordResetLink(userType)
>> bodyMessage = "A password reset has been requested
>> for your Account. Please click on the link below to complete the
>> password reset. The link will be valid for 2 hours. " +
>> "Here is your password reset link:\n" + link
>>
>> return bodyMessage;
>> </code>
>> </script>
>> </bodyExpression>
>> <transport>mail</transport>
>>
>> </passwordResetNotifier>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190531/6fe4f62c/attachment.htm>
More information about the midPoint
mailing list