<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head><body text="#000000" bgcolor="#FFFFFF">Just to document my
solution in case anyone else runs across this problem. <br>
<br>
I found the one simple thing that I had set wrong.<br>
In the system configuration, I had set the <defaultHostname> to
<a class="moz-txt-link-freetext" href="https://id.example.com">https://id.example.com</a> <br>
(We are running Apache in front of this to auto-roll HTTP to HTTPS,
handle the certificates and re-write to port 8080.)<br>
This gave a token link that didn't include /midpoint in the URL. <br>
<br>
After changing the defaultHostname to: <a class="moz-txt-link-freetext" href="https://id.example.com/midpoint">https://id.example.com/midpoint</a><br>
everything worked fine. I knew it had to be something simple, but just
couldn't see it.<br>
<br>
<br>
<span>Brad Firestone wrote on 6/3/19 2:53 PM:</span><br>
<blockquote type="cite"
cite="mid:7e49e083-89f8-bce8-1830-91445ed155de@gmail.com">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
Well, it doesn't look like
it was actually a code problem. I was able to update my installation
to 3.9.1-snapshot and still have the same problem:<br>
Token link in password reset email doesn't allow a password change. It
just takes me to the main login page, and gives this error in the log:<br>
<br>
[http-nio-8080-exec-4] DEBUG
(com.evolveum.midpoint.security.api.SecurityUtil): Denied access to
FilterInvocation: URL: /self/dashboard by anonymousUser : Not logged in<br>
<br>
It must have something to do with my configuration. Unless someone has
some ideas, I'll probably just begin a new build and test the password
reset with the most basic configuration, and slowly add to it until I
either have the full configuration, or it breaks. :-)<br>
<br>
<br>
<span>Brad Firestone wrote on 5/31/19 10:09 PM:</span><br>
<blockquote type="cite"
cite="mid:1f22fbbc-4aaa-4288-fc8e-10f1b593971a@gmail.com"><meta
http-equiv="Content-Type" content="text/html; charset=utf-8">
Thank you Pavol!<br>
<br>
It looks like these changes in the 3.9 support branch have probably
resolved the issue. This is my first time to try and build from source
and I couldn't figure out how to apply the new WAR files into my current
3.9 install. So I just dropped the WAR file into a different Tomcat
server. Loaded my config files in to the new install and the password
reset via email worked correctly.<br>
<br>
Is there any way to just take the changed files that you referenced in
your commit and add them/edit them in my current 3.9 standalone
installation? That would save having to re-import thousands of Users.
If not, I'll just need to learn more about building from source. :-)<br>
<br>
Thank you for fixing this issue and pointing me in the right direction!!<br>
Brad <br>
<br>
<span>Pavol Mederly wrote on 5/25/19 4:25 AM:</span><br>
<blockquote type="cite"
cite="mid:bd566f89-c0d8-98e9-3734-bd05fb5cc3a8@evolveum.com"><meta
http-equiv="Content-Type" content="text/html; charset=utf-8">
<p>Hello Brad,</p>
<p>last year I had to fix a (maybe) related issue in password
security questions reset mechanism: <a moz-do-not-send="true"
href="https://github.com/Evolveum/midpoint/commit/658e09cbd0ba906f6eb9f12e27f4ac64829c3df9">https://github.com/Evolveum/midpoint/commit/658e09cbd0ba906f6eb9f12e27f4ac64829c3df9</a>.
Maybe you could try to download and use the current code in
support-3.9 branch; there's a slight chance the fix will help also
in your case.</p>
<p>Best regards,<br>
</p>
<pre class="moz-signature" cols="72">Pavol Mederly
Software developer
evolveum.com
</pre>
<div class="moz-cite-prefix">On 24.05.2019 21:29, Brad Firestone
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:86987a06-107a-b2a6-80fe-0b33fd61fc22@gmail.com"><meta
http-equiv="content-type" content="text/html; charset=utf-8">
Hi All,<br>
<br>
I'm trying to setup password reset using email on a new system
(3.9). I've copied files from a working system (3.8), and also
compared them with the samples. I will include my configs below.<br>
<br>
Clicking "Forgot Password" displays the correct form to enter the
email address. Submitting shows success and I receive the email
with a link. Clicking the link opens a browser window that
displays the regular login screen, not the password page as would
be expected.<br>
<br>
The link looks like this (email address changed):<br>
<pre wrap=""><a class="moz-txt-link-freetext" href="https://id.nazarene.org/confirm/reset?user=bfirestone@globalnaz.org&token=7135096842" moz-do-not-send="true">https://id.example.com/confirm/reset?user=test@example.com&token=7135096842</a></pre>
<br>
The log shows:<br>
DEBUG (com.evolveum.midpoint.security.api.SecurityUtil): Denied
access to FilterInvocation: URL: /self/dashboard by anonymousUser
: Not logged in<br>
<br>
I don't have any idea why the nonce token isn't authenticating
correctly. If anyone has any ideas, I'd appreciate it.<br>
Thanks!<br>
Brad<br>
<br>
Global Security Policy:<br>
<securityPolicy oid="ae102ac0-735c-11e9-b544-871134a1b753" <br>
xmlns='<a class="moz-txt-link-freetext"
href="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
moz-do-not-send="true">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>'><br>
<name>Our Global Security Policy</name><br>
<authentication><br>
<mailAuthentication><br>
<name>confirmationLink</name><br>
<displayName>Additional mail
authnetication</displayName><br>
<mailNonce>mailNonce</mailNonce><br>
</mailAuthentication><br>
</authentication><br>
<credentials><br>
<password><br>
<maxAge>P1000D</maxAge><br>
<lockoutMaxFailedAttempts>5</lockoutMaxFailedAttempts><br>
<lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration><br>
<lockoutDuration>PT15M</lockoutDuration><br>
<historyLength>1</historyLength><br>
<valuePolicyRef
oid="af1ad05a-735c-11e9-a5f1-8b992d7b3048"
type="ValuePolicyType"></valuePolicyRef><br>
<propagationUserControl>mapping</propagationUserControl><br>
</password><br>
<nonce><br>
<maxAge>PT2H</maxAge><br>
<name>mailNonce</name><br>
<valuePolicyRef
oid="b67275c4-735c-11e9-aa36-335e84f81ac6"
type="ValuePolicyType"></valuePolicyRef><br>
</nonce><br>
</credentials><br>
<credentialsReset><br>
<mailReset><br>
<name>Reset password using mail</name><br>
<additionalAuthenticationName>confirmationLink</additionalAuthenticationName><br>
</mailReset><br>
</credentialsReset><br>
</securityPolicy><br>
<br>
Nonce Value Policy:<br>
<valuePolicy oid="b67275c4-735c-11e9-aa36-335e84f81ac6"<br>
xmlns=<a class="moz-txt-link-rfc2396E"
href="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
moz-do-not-send="true">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a>><br>
<name>Nonce Value Policy</name><br>
<description>Value policy for mail-based password reset
nonce</description><br>
<stringPolicy><br>
<limitations><br>
<minLength>10</minLength><br>
<limit><br>
<description>Numbers</description><br>
<minOccurs>10</minOccurs><br>
<maxOccurs>10</maxOccurs><br>
<mustBeFirst>false</mustBeFirst><br>
<characterClass><br>
<value>1234567890</value><br>
</characterClass><br>
</limit><br>
</limitations><br>
</stringPolicy><br>
</valuePolicy><br>
<br>
System Config - Password notifier:<br>
<passwordResetNotifier><br>
<recipientExpression><br>
<script><br>
<code>return
requestee.getEmailAddress()</code><br>
</script><br>
</recipientExpression><br>
<bodyExpression><br>
<script><br>
<code><br>
<br>
import
com.evolveum.midpoint.notifications.api.events.ModelEvent<br>
modelEvent = (ModelEvent) event<br>
newUser =
modelEvent.getFocusContext().getObjectNew();<br>
userType = newUser.asObjectable();<br>
<br>
link = midpoint.createPasswordResetLink(userType)<br>
bodyMessage = "A password reset has been requested
for your Account. Please click on the link below to complete the
password reset. The link will be valid for 2
hours. " +<br>
"Here is your password reset link:\n" + link<br>
<br>
return bodyMessage;<br>
</code><br>
</script><br>
</bodyExpression><br>
<transport>mail</transport><br>
<br>
</passwordResetNotifier><br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" moz-do-not-send="true">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" moz-do-not-send="true">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre></blockquote>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" moz-do-not-send="true">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" moz-do-not-send="true">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre></blockquote>
<br></blockquote>
<br>
</blockquote>
<br>
</body></html>