<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head><body text="#000000" bgcolor="#FFFFFF">Thank you Pavol!<br>
<br>
It looks like these changes in the 3.9 support branch have probably 
resolved the issue.  This is my first time to try and build from source 
and I couldn't figure out how to apply the new WAR files into my current
 3.9 install.  So I just dropped the WAR file into a different Tomcat 
server.  Loaded my config files in to the new install and the password 
reset via email worked correctly.<br>
<br>
Is there any way to just take the changed files that you referenced in 
your commit and add them/edit them in my current 3.9 standalone 
installation?  That would save having to re-import thousands of Users.  
If not, I'll just need to learn more about building from source.  :-)<br>
<br>
Thank you for fixing this issue and pointing me in the right direction!!<br>
Brad <br>
<br>
<span>Pavol Mederly wrote on 5/25/19 4:25 AM:</span><br>
<blockquote type="cite" 
cite="mid:bd566f89-c0d8-98e9-3734-bd05fb5cc3a8@evolveum.com">
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8">

  
  
    
  <p>Hello Brad,</p>

    
  <p>last year I had to fix a (maybe) related issue in password
      security questions reset mechanism: <a moz-do-not-send="true" 
href="https://github.com/Evolveum/midpoint/commit/658e09cbd0ba906f6eb9f12e27f4ac64829c3df9">https://github.com/Evolveum/midpoint/commit/658e09cbd0ba906f6eb9f12e27f4ac64829c3df9</a>.
      Maybe you could try to download and use the current code in
      support-3.9 branch; there's a slight chance the fix will help also
      in your case.</p>

    
  <p>Best regards,<br>
    </p>

    
  <pre class="moz-signature" cols="72">Pavol Mederly
Software developer
evolveum.com
</pre>

    
  <div class="moz-cite-prefix">On 24.05.2019 21:29, Brad Firestone
      wrote:<br>
    </div>

    
  <blockquote type="cite" 
cite="mid:86987a06-107a-b2a6-80fe-0b33fd61fc22@gmail.com"><meta 
http-equiv="content-type" content="text/html; charset=utf-8">
      Hi All,<br>
      <br>
      I'm trying to setup password reset using email on a new system
      (3.9).  I've copied files from a working system (3.8), and also
      compared them with the samples.  I will include my configs below.<br>
      <br>
      Clicking "Forgot Password" displays the correct form to enter the
      email address.  Submitting shows success and I receive the email
      with a link.  Clicking the link opens a browser window that
      displays the regular login screen, not the password page as would
      be expected.<br>
      <br>
      The link looks like this (email address changed):<br>
      <pre wrap=""><a class="moz-txt-link-freetext" href="https://id.nazarene.org/confirm/reset?user=bfirestone@globalnaz.org&token=7135096842" moz-do-not-send="true">https://id.example.com/confirm/reset?user=test@example.com&token=7135096842</a></pre>
      <br>
      The log shows:<br>
      DEBUG (com.evolveum.midpoint.security.api.SecurityUtil): Denied
      access to FilterInvocation: URL: /self/dashboard by anonymousUser
      : Not logged in<br>
      <br>
      I don't have any idea why the nonce token isn't authenticating
      correctly.  If anyone has any ideas, I'd appreciate it.<br>
      Thanks!<br>
      Brad<br>
      <br>
      Global Security Policy:<br>
      <securityPolicy oid="ae102ac0-735c-11e9-b544-871134a1b753" <br>
          xmlns='<a class="moz-txt-link-freetext" 
href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" 
moz-do-not-send="true">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>'><br>
          <name>Our Global Security Policy</name><br>
          <authentication><br>
              <mailAuthentication><br>
                  <name>confirmationLink</name><br>
                  <displayName>Additional mail
      authnetication</displayName><br>
                  <mailNonce>mailNonce</mailNonce><br>
              </mailAuthentication><br>
          </authentication><br>
          <credentials><br>
              <password><br>
                  <maxAge>P1000D</maxAge><br>
                 
      <lockoutMaxFailedAttempts>5</lockoutMaxFailedAttempts><br>
                 
<lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration><br>
                  <lockoutDuration>PT15M</lockoutDuration><br>
                  <historyLength>1</historyLength><br>
                  <valuePolicyRef
      oid="af1ad05a-735c-11e9-a5f1-8b992d7b3048"
      type="ValuePolicyType"></valuePolicyRef><br>
                 
      
<propagationUserControl>mapping</propagationUserControl><br>
              </password><br>
              <nonce><br>
                  <maxAge>PT2H</maxAge><br>
                  <name>mailNonce</name><br>
                  <valuePolicyRef
      oid="b67275c4-735c-11e9-aa36-335e84f81ac6"
      type="ValuePolicyType"></valuePolicyRef><br>
              </nonce><br>
          </credentials><br>
          <credentialsReset><br>
              <mailReset><br>
                  <name>Reset password using mail</name><br>
                 
<additionalAuthenticationName>confirmationLink</additionalAuthenticationName><br>
              </mailReset><br>
          </credentialsReset><br>
      </securityPolicy><br>
      <br>
      Nonce Value Policy:<br>
      <valuePolicy oid="b67275c4-735c-11e9-aa36-335e84f81ac6"<br>
                   xmlns=<a class="moz-txt-link-rfc2396E" 
href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" 
moz-do-not-send="true">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a>><br>
          <name>Nonce Value Policy</name><br>
          <description>Value policy for mail-based password reset
      nonce</description><br>
          <stringPolicy><br>
              <limitations><br>
                  <minLength>10</minLength><br>
                  <limit><br>
                      <description>Numbers</description><br>
                      <minOccurs>10</minOccurs><br>
                      <maxOccurs>10</maxOccurs><br>
                      <mustBeFirst>false</mustBeFirst><br>
                      <characterClass><br>
                          <value>1234567890</value><br>
                      </characterClass><br>
                  </limit><br>
              </limitations><br>
          </stringPolicy><br>
      </valuePolicy><br>
      <br>
      System Config - Password notifier:<br>
      <passwordResetNotifier><br>
              <recipientExpression><br>
              <script><br>
                  <code>return
      requestee.getEmailAddress()</code><br>
              </script><br>
              </recipientExpression><br>
              <bodyExpression><br>
              <script><br>
                  <code><br>
                             <br>
                      import
      com.evolveum.midpoint.notifications.api.events.ModelEvent<br>
                      modelEvent = (ModelEvent) event<br>
                      newUser =
      modelEvent.getFocusContext().getObjectNew();<br>
                      userType = newUser.asObjectable();<br>
           <br>
                      link = midpoint.createPasswordResetLink(userType)<br>
                      bodyMessage = "A password reset has been requested
      for your Account.  Please click on the link below to complete the
      password reset. The link will                 be valid for 2
      hours. " +<br>
                      "Here is your password reset link:\n" + link<br>
                 <br>
                      return bodyMessage;<br>
                  </code><br>
              </script><br>
              </bodyExpression><br>
              <transport>mail</transport><br>
      <br>
          </passwordResetNotifier><br>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <pre class="moz-quote-pre" wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" moz-do-not-send="true">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" moz-do-not-send="true">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre></blockquote>

  


  <br>
  <fieldset class="mimeAttachmentHeader"></fieldset>
  <br>
  <pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</body></html>