[midPoint] Trouble with Password Mail Reset

Brad Firestone bhotrock at gmail.com
Mon Jun 3 21:53:35 CEST 2019 

Well, it doesn't look like it was actually a code problem.  I was able 
to update my installation to 3.9.1-snapshot and still have the same problem:
Token link in password reset email doesn't allow a password change.  It 
just takes me to the main login page, and gives this error in the log:

[http-nio-8080-exec-4] DEBUG 
(com.evolveum.midpoint.security.api.SecurityUtil): Denied access to 
FilterInvocation: URL: /self/dashboard by anonymousUser : Not logged in

It must have something to do with my configuration.  Unless someone has 
some ideas, I'll probably just begin a new build and test the password 
reset with the most basic configuration, and slowly add to it until I 
either have the full configuration, or it breaks.  :-)


Brad Firestone wrote on 5/31/19 10:09 PM:
> Thank you Pavol!
>
> It looks like these changes in the 3.9 support branch have probably 
> resolved the issue.  This is my first time to try and build from 
> source and I couldn't figure out how to apply the new WAR files into 
> my current 3.9 install.  So I just dropped the WAR file into a 
> different Tomcat server.  Loaded my config files in to the new install 
> and the password reset via email worked correctly.
>
> Is there any way to just take the changed files that you referenced in 
> your commit and add them/edit them in my current 3.9 standalone 
> installation?  That would save having to re-import thousands of Users. 
> If not, I'll just need to learn more about building from source.  :-)
>
> Thank you for fixing this issue and pointing me in the right direction!!
> Brad
>
> Pavol Mederly wrote on 5/25/19 4:25 AM:
>>
>> Hello Brad,
>>
>> last year I had to fix a (maybe) related issue in password security 
>> questions reset mechanism: 
>> https://github.com/Evolveum/midpoint/commit/658e09cbd0ba906f6eb9f12e27f4ac64829c3df9. 
>> Maybe you could try to download and use the current code in 
>> support-3.9 branch; there's a slight chance the fix will help also in 
>> your case.
>>
>> Best regards,
>>
>> Pavol Mederly
>> Software developer
>> evolveum.com
>> On 24.05.2019 21:29, Brad Firestone wrote:
>>> Hi All,
>>>
>>> I'm trying to setup password reset using email on a new system 
>>> (3.9).  I've copied files from a working system (3.8), and also 
>>> compared them with the samples.  I will include my configs below.
>>>
>>> Clicking "Forgot Password" displays the correct form to enter the 
>>> email address.  Submitting shows success and I receive the email 
>>> with a link.  Clicking the link opens a browser window that displays 
>>> the regular login screen, not the password page as would be expected.
>>>
>>> The link looks like this (email address changed):
>>> https://id.example.com/confirm/reset?user=test@example.com&token=7135096842
>>>
>>> The log shows:
>>> DEBUG (com.evolveum.midpoint.security.api.SecurityUtil): Denied 
>>> access to FilterInvocation: URL: /self/dashboard by anonymousUser : 
>>> Not logged in
>>>
>>> I don't have any idea why the nonce token isn't authenticating 
>>> correctly.  If anyone has any ideas, I'd appreciate it.
>>> Thanks!
>>> Brad
>>>
>>> Global Security Policy:
>>> <securityPolicy oid="ae102ac0-735c-11e9-b544-871134a1b753"
>>>     xmlns='http://midpoint.evolveum.com/xml/ns/public/common/common-3'>
>>>     <name>Our Global Security Policy</name>
>>>     <authentication>
>>>         <mailAuthentication>
>>>             <name>confirmationLink</name>
>>>             <displayName>Additional mail authnetication</displayName>
>>>             <mailNonce>mailNonce</mailNonce>
>>>         </mailAuthentication>
>>>     </authentication>
>>>     <credentials>
>>>         <password>
>>>             <maxAge>P1000D</maxAge>
>>> <lockoutMaxFailedAttempts>5</lockoutMaxFailedAttempts>
>>> <lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration>
>>>             <lockoutDuration>PT15M</lockoutDuration>
>>>             <historyLength>1</historyLength>
>>>             <valuePolicyRef 
>>> oid="af1ad05a-735c-11e9-a5f1-8b992d7b3048" 
>>> type="ValuePolicyType"></valuePolicyRef>
>>> <propagationUserControl>mapping</propagationUserControl>
>>>         </password>
>>>         <nonce>
>>>             <maxAge>PT2H</maxAge>
>>>             <name>mailNonce</name>
>>>             <valuePolicyRef 
>>> oid="b67275c4-735c-11e9-aa36-335e84f81ac6" 
>>> type="ValuePolicyType"></valuePolicyRef>
>>>         </nonce>
>>>     </credentials>
>>>     <credentialsReset>
>>>         <mailReset>
>>>             <name>Reset password using mail</name>
>>> <additionalAuthenticationName>confirmationLink</additionalAuthenticationName>
>>>         </mailReset>
>>>     </credentialsReset>
>>> </securityPolicy>
>>>
>>> Nonce Value Policy:
>>> <valuePolicy oid="b67275c4-735c-11e9-aa36-335e84f81ac6"
>>>              
>>> xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
>>>     <name>Nonce Value Policy</name>
>>>     <description>Value policy for mail-based password reset 
>>> nonce</description>
>>>     <stringPolicy>
>>>         <limitations>
>>>             <minLength>10</minLength>
>>>             <limit>
>>>                 <description>Numbers</description>
>>>                 <minOccurs>10</minOccurs>
>>>                 <maxOccurs>10</maxOccurs>
>>>                 <mustBeFirst>false</mustBeFirst>
>>>                 <characterClass>
>>>                     <value>1234567890</value>
>>>                 </characterClass>
>>>             </limit>
>>>         </limitations>
>>>     </stringPolicy>
>>> </valuePolicy>
>>>
>>> System Config - Password notifier:
>>> <passwordResetNotifier>
>>>         <recipientExpression>
>>>         <script>
>>>             <code>return requestee.getEmailAddress()</code>
>>>         </script>
>>>         </recipientExpression>
>>>         <bodyExpression>
>>>         <script>
>>>             <code>
>>>
>>>                 import 
>>> com.evolveum.midpoint.notifications.api.events.ModelEvent
>>>                 modelEvent = (ModelEvent) event
>>>                 newUser = modelEvent.getFocusContext().getObjectNew();
>>>                 userType = newUser.asObjectable();
>>>
>>>                 link = midpoint.createPasswordResetLink(userType)
>>>                 bodyMessage = "A password reset has been requested 
>>> for your Account.  Please click on the link below to complete the 
>>> password reset. The link will                 be valid for 2 hours. " +
>>>                 "Here is your password reset link:\n" + link
>>>
>>>                 return bodyMessage;
>>>             </code>
>>>         </script>
>>>         </bodyExpression>
>>>         <transport>mail</transport>
>>>
>>>     </passwordResetNotifier>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190603/79108f20/attachment.htm>

More information about the midPoint mailing list