[midPoint] Trouble with Password Mail Reset
Brad Firestone
bhotrock at gmail.com
Fri May 24 21:29:51 CEST 2019
Hi All,
I'm trying to setup password reset using email on a new system (3.9).
I've copied files from a working system (3.8), and also compared them
with the samples. I will include my configs below.
Clicking "Forgot Password" displays the correct form to enter the email
address. Submitting shows success and I receive the email with a link.
Clicking the link opens a browser window that displays the regular login
screen, not the password page as would be expected.
The link looks like this (email address changed):
https://id.example.com/confirm/reset?user=test@example.com&token=7135096842
The log shows:
DEBUG (com.evolveum.midpoint.security.api.SecurityUtil): Denied access
to FilterInvocation: URL: /self/dashboard by anonymousUser : Not logged in
I don't have any idea why the nonce token isn't authenticating
correctly. If anyone has any ideas, I'd appreciate it.
Thanks!
Brad
Global Security Policy:
<securityPolicy oid="ae102ac0-735c-11e9-b544-871134a1b753"
xmlns='http://midpoint.evolveum.com/xml/ns/public/common/common-3'>
<name>Our Global Security Policy</name>
<authentication>
<mailAuthentication>
<name>confirmationLink</name>
<displayName>Additional mail authnetication</displayName>
<mailNonce>mailNonce</mailNonce>
</mailAuthentication>
</authentication>
<credentials>
<password>
<maxAge>P1000D</maxAge>
<lockoutMaxFailedAttempts>5</lockoutMaxFailedAttempts>
<lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration>
<lockoutDuration>PT15M</lockoutDuration>
<historyLength>1</historyLength>
<valuePolicyRef oid="af1ad05a-735c-11e9-a5f1-8b992d7b3048"
type="ValuePolicyType"></valuePolicyRef>
<propagationUserControl>mapping</propagationUserControl>
</password>
<nonce>
<maxAge>PT2H</maxAge>
<name>mailNonce</name>
<valuePolicyRef oid="b67275c4-735c-11e9-aa36-335e84f81ac6"
type="ValuePolicyType"></valuePolicyRef>
</nonce>
</credentials>
<credentialsReset>
<mailReset>
<name>Reset password using mail</name>
<additionalAuthenticationName>confirmationLink</additionalAuthenticationName>
</mailReset>
</credentialsReset>
</securityPolicy>
Nonce Value Policy:
<valuePolicy oid="b67275c4-735c-11e9-aa36-335e84f81ac6"
xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
<name>Nonce Value Policy</name>
<description>Value policy for mail-based password reset
nonce</description>
<stringPolicy>
<limitations>
<minLength>10</minLength>
<limit>
<description>Numbers</description>
<minOccurs>10</minOccurs>
<maxOccurs>10</maxOccurs>
<mustBeFirst>false</mustBeFirst>
<characterClass>
<value>1234567890</value>
</characterClass>
</limit>
</limitations>
</stringPolicy>
</valuePolicy>
System Config - Password notifier:
<passwordResetNotifier>
<recipientExpression>
<script>
<code>return requestee.getEmailAddress()</code>
</script>
</recipientExpression>
<bodyExpression>
<script>
<code>
import
com.evolveum.midpoint.notifications.api.events.ModelEvent
modelEvent = (ModelEvent) event
newUser = modelEvent.getFocusContext().getObjectNew();
userType = newUser.asObjectable();
link = midpoint.createPasswordResetLink(userType)
bodyMessage = "A password reset has been requested for
your Account. Please click on the link below to complete the password
reset. The link will be valid for 2 hours. " +
"Here is your password reset link:\n" + link
return bodyMessage;
</code>
</script>
</bodyExpression>
<transport>mail</transport>
</passwordResetNotifier>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190524/c8088d7c/attachment.htm>
More information about the midPoint
mailing list