[midPoint] Trouble with Password Mail Reset

Brad Firestone bhotrock at gmail.com
Thu Jun 6 21:57:43 CEST 2019 

Just to document my solution in case anyone else runs across this problem.

I found the one simple thing that I had set wrong.
In the system configuration, I had set the <defaultHostname> to 
https://id.example.com
(We are running Apache in front of this to auto-roll HTTP to HTTPS, 
handle the certificates and re-write to port 8080.)
This gave a token link that didn't include /midpoint in the URL.

After changing the defaultHostname to:  https://id.example.com/midpoint
everything worked fine.  I knew it had to be something simple, but just 
couldn't see it.


Brad Firestone wrote on 6/3/19 2:53 PM:
> Well, it doesn't look like it was actually a code problem.  I was able 
> to update my installation to 3.9.1-snapshot and still have the same 
> problem:
> Token link in password reset email doesn't allow a password change.  
> It just takes me to the main login page, and gives this error in the log:
>
> [http-nio-8080-exec-4] DEBUG 
> (com.evolveum.midpoint.security.api.SecurityUtil): Denied access to 
> FilterInvocation: URL: /self/dashboard by anonymousUser : Not logged in
>
> It must have something to do with my configuration.  Unless someone 
> has some ideas, I'll probably just begin a new build and test the 
> password reset with the most basic configuration, and slowly add to it 
> until I either have the full configuration, or it breaks.  :-)
>
>
> Brad Firestone wrote on 5/31/19 10:09 PM:
>> Thank you Pavol!
>>
>> It looks like these changes in the 3.9 support branch have probably 
>> resolved the issue.  This is my first time to try and build from 
>> source and I couldn't figure out how to apply the new WAR files into 
>> my current 3.9 install.  So I just dropped the WAR file into a 
>> different Tomcat server.  Loaded my config files in to the new 
>> install and the password reset via email worked correctly.
>>
>> Is there any way to just take the changed files that you referenced 
>> in your commit and add them/edit them in my current 3.9 standalone 
>> installation?  That would save having to re-import thousands of 
>> Users. If not, I'll just need to learn more about building from 
>> source.  :-)
>>
>> Thank you for fixing this issue and pointing me in the right direction!!
>> Brad
>>
>> Pavol Mederly wrote on 5/25/19 4:25 AM:
>>>
>>> Hello Brad,
>>>
>>> last year I had to fix a (maybe) related issue in password security 
>>> questions reset mechanism: 
>>> https://github.com/Evolveum/midpoint/commit/658e09cbd0ba906f6eb9f12e27f4ac64829c3df9. 
>>> Maybe you could try to download and use the current code in 
>>> support-3.9 branch; there's a slight chance the fix will help also 
>>> in your case.
>>>
>>> Best regards,
>>>
>>> Pavol Mederly
>>> Software developer
>>> evolveum.com
>>> On 24.05.2019 21:29, Brad Firestone wrote:
>>>> Hi All,
>>>>
>>>> I'm trying to setup password reset using email on a new system 
>>>> (3.9).  I've copied files from a working system (3.8), and also 
>>>> compared them with the samples.  I will include my configs below.
>>>>
>>>> Clicking "Forgot Password" displays the correct form to enter the 
>>>> email address.  Submitting shows success and I receive the email 
>>>> with a link.  Clicking the link opens a browser window that 
>>>> displays the regular login screen, not the password page as would 
>>>> be expected.
>>>>
>>>> The link looks like this (email address changed):
>>>> https://id.example.com/confirm/reset?user=test@example.com&token=7135096842
>>>>
>>>> The log shows:
>>>> DEBUG (com.evolveum.midpoint.security.api.SecurityUtil): Denied 
>>>> access to FilterInvocation: URL: /self/dashboard by anonymousUser : 
>>>> Not logged in
>>>>
>>>> I don't have any idea why the nonce token isn't authenticating 
>>>> correctly.  If anyone has any ideas, I'd appreciate it.
>>>> Thanks!
>>>> Brad
>>>>
>>>> Global Security Policy:
>>>> <securityPolicy oid="ae102ac0-735c-11e9-b544-871134a1b753"
>>>>     xmlns='http://midpoint.evolveum.com/xml/ns/public/common/common-3'>
>>>>     <name>Our Global Security Policy</name>
>>>>     <authentication>
>>>>         <mailAuthentication>
>>>>             <name>confirmationLink</name>
>>>>             <displayName>Additional mail authnetication</displayName>
>>>>             <mailNonce>mailNonce</mailNonce>
>>>>         </mailAuthentication>
>>>>     </authentication>
>>>>     <credentials>
>>>>         <password>
>>>>             <maxAge>P1000D</maxAge>
>>>> <lockoutMaxFailedAttempts>5</lockoutMaxFailedAttempts>
>>>> <lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration>
>>>>             <lockoutDuration>PT15M</lockoutDuration>
>>>>             <historyLength>1</historyLength>
>>>>             <valuePolicyRef 
>>>> oid="af1ad05a-735c-11e9-a5f1-8b992d7b3048" 
>>>> type="ValuePolicyType"></valuePolicyRef>
>>>> <propagationUserControl>mapping</propagationUserControl>
>>>>         </password>
>>>>         <nonce>
>>>>             <maxAge>PT2H</maxAge>
>>>>             <name>mailNonce</name>
>>>>             <valuePolicyRef 
>>>> oid="b67275c4-735c-11e9-aa36-335e84f81ac6" 
>>>> type="ValuePolicyType"></valuePolicyRef>
>>>>         </nonce>
>>>>     </credentials>
>>>>     <credentialsReset>
>>>>         <mailReset>
>>>>             <name>Reset password using mail</name>
>>>> <additionalAuthenticationName>confirmationLink</additionalAuthenticationName>
>>>>         </mailReset>
>>>>     </credentialsReset>
>>>> </securityPolicy>
>>>>
>>>> Nonce Value Policy:
>>>> <valuePolicy oid="b67275c4-735c-11e9-aa36-335e84f81ac6"
>>>>              
>>>> xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
>>>>     <name>Nonce Value Policy</name>
>>>>     <description>Value policy for mail-based password reset 
>>>> nonce</description>
>>>>     <stringPolicy>
>>>>         <limitations>
>>>>             <minLength>10</minLength>
>>>>             <limit>
>>>>                 <description>Numbers</description>
>>>>                 <minOccurs>10</minOccurs>
>>>>                 <maxOccurs>10</maxOccurs>
>>>>                 <mustBeFirst>false</mustBeFirst>
>>>>                 <characterClass>
>>>>                     <value>1234567890</value>
>>>>                 </characterClass>
>>>>             </limit>
>>>>         </limitations>
>>>>     </stringPolicy>
>>>> </valuePolicy>
>>>>
>>>> System Config - Password notifier:
>>>> <passwordResetNotifier>
>>>>         <recipientExpression>
>>>>         <script>
>>>>             <code>return requestee.getEmailAddress()</code>
>>>>         </script>
>>>>         </recipientExpression>
>>>>         <bodyExpression>
>>>>         <script>
>>>>             <code>
>>>>
>>>>                 import 
>>>> com.evolveum.midpoint.notifications.api.events.ModelEvent
>>>>                 modelEvent = (ModelEvent) event
>>>>                 newUser = modelEvent.getFocusContext().getObjectNew();
>>>>                 userType = newUser.asObjectable();
>>>>
>>>>                 link = midpoint.createPasswordResetLink(userType)
>>>>                 bodyMessage = "A password reset has been requested 
>>>> for your Account.  Please click on the link below to complete the 
>>>> password reset. The link will                 be valid for 2 hours. " +
>>>>                 "Here is your password reset link:\n" + link
>>>>
>>>>                 return bodyMessage;
>>>>             </code>
>>>>         </script>
>>>>         </bodyExpression>
>>>>         <transport>mail</transport>
>>>>
>>>>     </passwordResetNotifier>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190606/11617c4f/attachment.htm>

More information about the midPoint mailing list