syncope-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ilgro...@apache.org
Subject [2/3] syncope git commit: [SYNCOPE-1388] Now only POST /user/self/mustChangePassword is allowed when mustChangePassword flag is set on user
Date Tue, 30 Oct 2018 17:03:00 GMT
[SYNCOPE-1388] Now only POST /user/self/mustChangePassword is allowed when mustChangePassword
flag is set on user


Project: http://git-wip-us.apache.org/repos/asf/syncope/repo
Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/01e32d2d
Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/01e32d2d
Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/01e32d2d

Branch: refs/heads/master
Commit: 01e32d2d0ad7a9f171440dcf369da6a8f72a7d4b
Parents: 9fc33d2
Author: Francesco Chicchiriccò <ilgrosso@apache.org>
Authored: Tue Oct 30 17:56:59 2018 +0100
Committer: Francesco Chicchiriccò <ilgrosso@apache.org>
Committed: Tue Oct 30 17:57:57 2018 +0100

----------------------------------------------------------------------
 appveyor.yml                                    |  6 ++---
 .../console/SyncopeConsoleApplication.java      |  3 +--
 .../client/console/SyncopeConsoleSession.java   | 24 ++++++++++++++------
 .../client/console/panels/AnyTypesPanel.java    |  4 ++--
 .../client/enduser/SyncopeEnduserSession.java   | 23 +++++++++++--------
 .../resources/UserSelfChangePassword.java       | 12 +---------
 .../enduser/resources/UserSelfReadResource.java |  1 -
 .../app/js/controllers/UserController.js        | 10 ++++----
 .../app/js/services/userSelfService.js          |  3 ++-
 .../apache/syncope/core/logic/UserLogic.java    | 12 ++++++----
 .../security/MustChangePasswordFilter.java      | 10 ++------
 .../spring/security/SyncopeJWTSSOProvider.java  |  2 +-
 .../client/console/pages/SAML2SPLogin.java      |  1 -
 .../apache/syncope/fit/core/UserSelfITCase.java | 12 +++++-----
 14 files changed, 63 insertions(+), 60 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/syncope/blob/01e32d2d/appveyor.yml
----------------------------------------------------------------------
diff --git a/appveyor.yml b/appveyor.yml
index acd8bb4..f58a884 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -26,9 +26,9 @@ install:
         (new-object System.Net.WebClient).DownloadFile('https://www.apache.org/dist/maven/maven-3/3.5.4/binaries/apache-maven-3.5.4-bin.zip',
'C:\maven-bin.zip')
         [System.IO.Compression.ZipFile]::ExtractToDirectory("C:\maven-bin.zip", "C:\maven")
       }
-  - cmd: SET PATH=C:\maven\apache-maven-3.5.3\bin;%JAVA_HOME%\bin;=%;
-  - cmd: SET JAVA_HOME=C:\Program Files\Java\jdk10
-  - cmd: SET M2_HOME=C:\maven\apache-maven-3.5.3
+  - cmd: SET PATH=C:\maven\apache-maven-3.5.4\bin;%JAVA_HOME%\bin;=%;
+  - cmd: SET JAVA_HOME=C:\Program Files\Java\jdk1.8.0
+  - cmd: SET M2_HOME=C:\maven\apache-maven-3.5.4
   - cmd: SET MAVEN_OPTS=-Xmx4g
   - cmd: SET JAVA_OPTS=-Xmx4g
 build_script:

http://git-wip-us.apache.org/repos/asf/syncope/blob/01e32d2d/client/console/src/main/java/org/apache/syncope/client/console/SyncopeConsoleApplication.java
----------------------------------------------------------------------
diff --git a/client/console/src/main/java/org/apache/syncope/client/console/SyncopeConsoleApplication.java
b/client/console/src/main/java/org/apache/syncope/client/console/SyncopeConsoleApplication.java
index f03f823..3431f04 100644
--- a/client/console/src/main/java/org/apache/syncope/client/console/SyncopeConsoleApplication.java
+++ b/client/console/src/main/java/org/apache/syncope/client/console/SyncopeConsoleApplication.java
@@ -49,7 +49,6 @@ import org.apache.syncope.client.lib.SyncopeClientFactoryBean;
 import org.apache.syncope.common.lib.PropertyUtils;
 import org.apache.syncope.common.lib.SyncopeConstants;
 import org.apache.syncope.common.lib.to.EntityTO;
-import org.apache.syncope.common.lib.types.StandardEntitlement;
 import org.apache.syncope.common.rest.api.service.DomainService;
 import org.apache.wicket.Page;
 import org.apache.wicket.authroles.authentication.AbstractAuthenticatedWebSession;
@@ -254,7 +253,7 @@ public class SyncopeConsoleApplication extends AuthenticatedWebApplication
{
     @Override
     public Class<? extends Page> getHomePage() {
         return AuthenticatedWebSession.get().isSignedIn()
-                && SyncopeConsoleSession.get().owns(StandardEntitlement.MUST_CHANGE_PASSWORD)
+                && SyncopeConsoleSession.get().getSelfTO().isMustChangePassword()
                 ? MustChangePassword.class
                 : Dashboard.class;
     }

http://git-wip-us.apache.org/repos/asf/syncope/blob/01e32d2d/client/console/src/main/java/org/apache/syncope/client/console/SyncopeConsoleSession.java
----------------------------------------------------------------------
diff --git a/client/console/src/main/java/org/apache/syncope/client/console/SyncopeConsoleSession.java
b/client/console/src/main/java/org/apache/syncope/client/console/SyncopeConsoleSession.java
index d793da2..6f9d7a9 100644
--- a/client/console/src/main/java/org/apache/syncope/client/console/SyncopeConsoleSession.java
+++ b/client/console/src/main/java/org/apache/syncope/client/console/SyncopeConsoleSession.java
@@ -31,6 +31,7 @@ import java.util.Set;
 import java.util.concurrent.Callable;
 import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.Future;
+import javax.ws.rs.ForbiddenException;
 import javax.ws.rs.core.EntityTag;
 import javax.ws.rs.core.MediaType;
 import org.apache.commons.collections4.list.SetUniqueList;
@@ -48,6 +49,7 @@ import org.apache.syncope.common.lib.SyncopeConstants;
 import org.apache.syncope.common.lib.info.PlatformInfo;
 import org.apache.syncope.common.lib.info.SystemInfo;
 import org.apache.syncope.common.lib.to.UserTO;
+import org.apache.syncope.common.lib.types.StandardEntitlement;
 import org.apache.syncope.common.rest.api.service.SyncopeService;
 import org.apache.wicket.Session;
 import org.apache.wicket.authroles.authentication.AuthenticatedWebSession;
@@ -163,7 +165,7 @@ public class SyncopeConsoleSession extends AuthenticatedWebSession {
         try {
             client = clientFactory.setDomain(getDomain()).create(username, password);
 
-            refreshAuth();
+            refreshAuth(username);
 
             authenticated = true;
         } catch (Exception e) {
@@ -179,7 +181,7 @@ public class SyncopeConsoleSession extends AuthenticatedWebSession {
         try {
             client = clientFactory.setDomain(getDomain()).create(jwt);
 
-            refreshAuth();
+            refreshAuth(null);
 
             authenticated = true;
         } catch (Exception e) {
@@ -270,11 +272,19 @@ public class SyncopeConsoleSession extends AuthenticatedWebSession {
         return roles;
     }
 
-    public void refreshAuth() {
-        Pair<Map<String, Set<String>>, UserTO> self = client.self();
-        auth = self.getLeft();
-        selfTO = self.getRight();
-        roles = null;
+    public void refreshAuth(final String username) {
+        try {
+            Pair<Map<String, Set<String>>, UserTO> self = client.self();
+            auth = self.getLeft();
+            selfTO = self.getRight();
+            roles = null;
+        } catch (ForbiddenException e) {
+            LOG.warn("Could not read self(), probably in a {} scenario", StandardEntitlement.MUST_CHANGE_PASSWORD,
e);
+
+            selfTO = new UserTO();
+            selfTO.setUsername(username);
+            selfTO.setMustChangePassword(true);
+        }
     }
 
     @SuppressWarnings("unchecked")

http://git-wip-us.apache.org/repos/asf/syncope/blob/01e32d2d/client/console/src/main/java/org/apache/syncope/client/console/panels/AnyTypesPanel.java
----------------------------------------------------------------------
diff --git a/client/console/src/main/java/org/apache/syncope/client/console/panels/AnyTypesPanel.java
b/client/console/src/main/java/org/apache/syncope/client/console/panels/AnyTypesPanel.java
index 97158e5..8e407f7 100644
--- a/client/console/src/main/java/org/apache/syncope/client/console/panels/AnyTypesPanel.java
+++ b/client/console/src/main/java/org/apache/syncope/client/console/panels/AnyTypesPanel.java
@@ -75,7 +75,7 @@ public class AnyTypesPanel extends TypesDirectoryPanel<AnyTypeTO, AnyTypesPanel.
                         try {
                             if (getOriginalItem() == null || StringUtils.isBlank(getOriginalItem().getKey()))
{
                                 restClient.create(modelObject);
-                                SyncopeConsoleSession.get().refreshAuth();
+                                SyncopeConsoleSession.get().refreshAuth(null);
                             } else {
                                 restClient.update(modelObject);
                             }
@@ -175,7 +175,7 @@ public class AnyTypesPanel extends TypesDirectoryPanel<AnyTypeTO, AnyTypesPanel.
             public void onClick(final AjaxRequestTarget target, final AnyTypeTO ignore) {
                 try {
                     restClient.delete(model.getObject().getKey());
-                    SyncopeConsoleSession.get().refreshAuth();
+                    SyncopeConsoleSession.get().refreshAuth(null);
 
                     SyncopeConsoleSession.get().info(getString(Constants.OPERATION_SUCCEEDED));
                     target.add(container);

http://git-wip-us.apache.org/repos/asf/syncope/blob/01e32d2d/client/enduser/src/main/java/org/apache/syncope/client/enduser/SyncopeEnduserSession.java
----------------------------------------------------------------------
diff --git a/client/enduser/src/main/java/org/apache/syncope/client/enduser/SyncopeEnduserSession.java
b/client/enduser/src/main/java/org/apache/syncope/client/enduser/SyncopeEnduserSession.java
index 9f8fe09..3b48522 100644
--- a/client/enduser/src/main/java/org/apache/syncope/client/enduser/SyncopeEnduserSession.java
+++ b/client/enduser/src/main/java/org/apache/syncope/client/enduser/SyncopeEnduserSession.java
@@ -19,12 +19,10 @@
 package org.apache.syncope.client.enduser;
 
 import java.util.List;
-import java.util.Map;
-import java.util.Set;
 import java.util.stream.Collectors;
+import javax.ws.rs.ForbiddenException;
 import javax.ws.rs.core.EntityTag;
 import javax.ws.rs.core.MediaType;
-import org.apache.commons.lang3.tuple.Pair;
 import org.apache.cxf.jaxrs.client.WebClient;
 import org.apache.syncope.client.lib.AnonymousAuthenticationHandler;
 import org.apache.syncope.client.lib.SyncopeClient;
@@ -33,6 +31,7 @@ import org.apache.syncope.common.lib.to.PlainSchemaTO;
 import org.apache.syncope.common.lib.to.UserTO;
 import org.apache.syncope.common.lib.types.AttrSchemaType;
 import org.apache.syncope.common.lib.types.SchemaType;
+import org.apache.syncope.common.lib.types.StandardEntitlement;
 import org.apache.syncope.common.rest.api.beans.SchemaQuery;
 import org.apache.syncope.common.rest.api.service.SchemaService;
 import org.apache.syncope.common.rest.api.service.SyncopeService;
@@ -87,9 +86,16 @@ public class SyncopeEnduserSession extends WebSession {
                 filter(object -> object.getType() != AttrSchemaType.Date).collect(Collectors.toSet()));
     }
 
-    private void afterAuthentication() {
-        Pair<Map<String, Set<String>>, UserTO> self = client.self();
-        selfTO = self.getRight();
+    private void afterAuthentication(final String username) {
+        try {
+            selfTO = client.self().getRight();
+        } catch (ForbiddenException e) {
+            LOG.warn("Could not read self(), probably in a {} scenario", StandardEntitlement.MUST_CHANGE_PASSWORD,
e);
+
+            selfTO = new UserTO();
+            selfTO.setUsername(username);
+            selfTO.setMustChangePassword(true);
+        }
 
         // bind explicitly this session to have a stateful behavior during http requests,
unless session will
         // expire for every request
@@ -104,7 +110,7 @@ public class SyncopeEnduserSession extends WebSession {
                     setDomain(SyncopeEnduserApplication.get().getDomain()).
                     create(username, password);
 
-            afterAuthentication();
+            afterAuthentication(username);
 
             authenticated = true;
         } catch (Exception e) {
@@ -121,7 +127,7 @@ public class SyncopeEnduserSession extends WebSession {
             client = SyncopeEnduserApplication.get().getClientFactory().
                     setDomain(SyncopeEnduserApplication.get().getDomain()).create(jwt);
 
-            afterAuthentication();
+            afterAuthentication(null);
 
             authenticated = true;
         } catch (Exception e) {
@@ -190,5 +196,4 @@ public class SyncopeEnduserSession extends WebSession {
     public void setXsrfTokenGenerated(final boolean xsrfTokenGenerated) {
         this.xsrfTokenGenerated = xsrfTokenGenerated;
     }
-
 }

http://git-wip-us.apache.org/repos/asf/syncope/blob/01e32d2d/client/enduser/src/main/java/org/apache/syncope/client/enduser/resources/UserSelfChangePassword.java
----------------------------------------------------------------------
diff --git a/client/enduser/src/main/java/org/apache/syncope/client/enduser/resources/UserSelfChangePassword.java
b/client/enduser/src/main/java/org/apache/syncope/client/enduser/resources/UserSelfChangePassword.java
index 2d476e8..e18cd28 100644
--- a/client/enduser/src/main/java/org/apache/syncope/client/enduser/resources/UserSelfChangePassword.java
+++ b/client/enduser/src/main/java/org/apache/syncope/client/enduser/resources/UserSelfChangePassword.java
@@ -18,7 +18,6 @@
  */
 package org.apache.syncope.client.enduser.resources;
 
-import java.io.IOException;
 import java.nio.charset.StandardCharsets;
 import java.util.Map;
 import javax.servlet.http.HttpServletRequest;
@@ -56,16 +55,7 @@ public class UserSelfChangePassword extends BaseResource {
                     mustChangePassword(parameters.get("newPassword")[0]);
 
             response.setTextEncoding(StandardCharsets.UTF_8.name());
-
-            response.setWriteCallback(new WriteCallback() {
-
-                @Override
-                public void writeData(final Attributes attributes) throws IOException {
-                    attributes.getResponse().write("Password changed correctly");
-                }
-            });
-
-            response.setStatusCode(Response.Status.OK.getStatusCode());
+            response.setStatusCode(Response.Status.NO_CONTENT.getStatusCode());
         } catch (final Exception e) {
             LOG.error("Error while updating user", e);
             response.setError(Response.Status.BAD_REQUEST.getStatusCode(), new StringBuilder()

http://git-wip-us.apache.org/repos/asf/syncope/blob/01e32d2d/client/enduser/src/main/java/org/apache/syncope/client/enduser/resources/UserSelfReadResource.java
----------------------------------------------------------------------
diff --git a/client/enduser/src/main/java/org/apache/syncope/client/enduser/resources/UserSelfReadResource.java
b/client/enduser/src/main/java/org/apache/syncope/client/enduser/resources/UserSelfReadResource.java
index 3e8e2ce..c58be85 100644
--- a/client/enduser/src/main/java/org/apache/syncope/client/enduser/resources/UserSelfReadResource.java
+++ b/client/enduser/src/main/java/org/apache/syncope/client/enduser/resources/UserSelfReadResource.java
@@ -149,5 +149,4 @@ public class UserSelfReadResource extends BaseUserSelfResource {
             attrs.clear();
         }
     }
-
 }

http://git-wip-us.apache.org/repos/asf/syncope/blob/01e32d2d/client/enduser/src/main/resources/META-INF/resources/app/js/controllers/UserController.js
----------------------------------------------------------------------
diff --git a/client/enduser/src/main/resources/META-INF/resources/app/js/controllers/UserController.js
b/client/enduser/src/main/resources/META-INF/resources/app/js/controllers/UserController.js
index 7718db7..f919b08 100644
--- a/client/enduser/src/main/resources/META-INF/resources/app/js/controllers/UserController.js
+++ b/client/enduser/src/main/resources/META-INF/resources/app/js/controllers/UserController.js
@@ -341,7 +341,6 @@ angular.module("self").controller("UserController", ['$scope', '$rootScope',
'$l
           $scope.user = UserUtil.getUnwrappedUser(response);
           $scope.user.password = undefined;
 
-
           $scope.initialSecurityQuestion = $scope.user.securityQuestion;
           // initialize already assigned resources
           $scope.dynamicForm.selectedResources = $scope.user.resources;
@@ -520,7 +519,7 @@ angular.module("self").controller("UserController", ['$scope', '$rootScope',
'$l
                     + $filter('translate')(["SUCCESSFULLY_UPDATED"]).SUCCESSFULLY_UPDATED
           });
         }, function (response) {
-          console.info("Error during user update: ", response);
+          console.error("Error during user update: ", response);
           var errorMessage;
           // parse error response 
           if (response !== undefined) {
@@ -614,8 +613,11 @@ angular.module("self").controller("UserController", ['$scope', '$rootScope',
'$l
         //check if password and confirmPassword are equals using angular built-in validation
         if (ValidationExecutor.validate(currentForm, $scope)) {
           if (user && user.password) {
-            UserSelfService.changePassword({"newPassword": user.password}).then(function
(data) {
-              $scope.logout(data);
+            UserSelfService.changePassword({"newPassword": user.password}).then(function
(response) {
+              console.debug("User " + user.username + " password successfully CHANGED");
+              $scope.logout({
+                successMessage: $filter('translate')(["PASSWORD_UPDATED"]).PASSWORD_UPDATED
+              });
             }, function (response) {
               var errorMessage;
               // parse error response 

http://git-wip-us.apache.org/repos/asf/syncope/blob/01e32d2d/client/enduser/src/main/resources/META-INF/resources/app/js/services/userSelfService.js
----------------------------------------------------------------------
diff --git a/client/enduser/src/main/resources/META-INF/resources/app/js/services/userSelfService.js
b/client/enduser/src/main/resources/META-INF/resources/app/js/services/userSelfService.js
index 2920814..b7e05d3 100644
--- a/client/enduser/src/main/resources/META-INF/resources/app/js/services/userSelfService.js
+++ b/client/enduser/src/main/resources/META-INF/resources/app/js/services/userSelfService.js
@@ -115,8 +115,9 @@ angular.module('login')
                                 }
                               })
                       .then(function (response) {
-                        return response.data || response.statusText;
+                        return response;
                       }, function (response) {
+                        console.error("Something went wrong during passwod change, exit with
status: ", response);
                         return $q.reject(response.data || response.statusText);
                       });
             };

http://git-wip-us.apache.org/repos/asf/syncope/blob/01e32d2d/core/logic/src/main/java/org/apache/syncope/core/logic/UserLogic.java
----------------------------------------------------------------------
diff --git a/core/logic/src/main/java/org/apache/syncope/core/logic/UserLogic.java b/core/logic/src/main/java/org/apache/syncope/core/logic/UserLogic.java
index dace468..56a01b4 100644
--- a/core/logic/src/main/java/org/apache/syncope/core/logic/UserLogic.java
+++ b/core/logic/src/main/java/org/apache/syncope/core/logic/UserLogic.java
@@ -85,7 +85,7 @@ public class UserLogic extends AbstractAnyLogic<UserTO, UserPatch>
{
     @Autowired
     protected SyncopeLogic syncopeLogic;
 
-    @PreAuthorize("isAuthenticated()")
+    @PreAuthorize("isAuthenticated() and not(hasRole('" + StandardEntitlement.MUST_CHANGE_PASSWORD
+ "'))")
     @Transactional(readOnly = true)
     public Pair<String, UserTO> selfRead() {
         return Pair.of(
@@ -164,7 +164,9 @@ public class UserLogic extends AbstractAnyLogic<UserTO, UserPatch>
{
                 binder.returnUserTO(binder.getUserTO(created.getKey())), created.getRight(),
before.getRight());
     }
 
-    @PreAuthorize("isAuthenticated() and not(hasRole('" + StandardEntitlement.ANONYMOUS +
"'))")
+    @PreAuthorize("isAuthenticated() "
+            + "and not(hasRole('" + StandardEntitlement.ANONYMOUS + "')) "
+            + "and not(hasRole('" + StandardEntitlement.MUST_CHANGE_PASSWORD + "'))")
     public ProvisioningResult<UserTO> selfUpdate(final UserPatch userPatch, final boolean
nullPriorityAsync) {
         UserTO userTO = binder.getAuthenticatedUserTO();
         userPatch.setKey(userTO.getKey());
@@ -264,7 +266,7 @@ public class UserLogic extends AbstractAnyLogic<UserTO, UserPatch>
{
                 Collections.<String>emptySet());
     }
 
-    @PreAuthorize("isAuthenticated()")
+    @PreAuthorize("isAuthenticated() and not(hasRole('" + StandardEntitlement.MUST_CHANGE_PASSWORD
+ "'))")
     public ProvisioningResult<UserTO> selfStatus(final StatusPatch statusPatch, final
boolean nullPriorityAsync) {
         statusPatch.setKey(userDAO.findKey(AuthContextUtils.getUsername()));
         Pair<String, List<PropagationStatus>> updated = setStatusOnWfAdapter(statusPatch,
nullPriorityAsync);
@@ -316,7 +318,9 @@ public class UserLogic extends AbstractAnyLogic<UserTO, UserPatch>
{
         provisioningManager.confirmPasswordReset(user.getKey(), token, password);
     }
 
-    @PreAuthorize("isAuthenticated() and not(hasRole('" + StandardEntitlement.ANONYMOUS +
"'))")
+    @PreAuthorize("isAuthenticated() "
+            + "and not(hasRole('" + StandardEntitlement.ANONYMOUS + "')) "
+            + "and not(hasRole('" + StandardEntitlement.MUST_CHANGE_PASSWORD + "'))")
     public ProvisioningResult<UserTO> selfDelete(final boolean nullPriorityAsync) {
         UserTO userTO = binder.getAuthenticatedUserTO();
         return doDelete(userTO, true, nullPriorityAsync);

http://git-wip-us.apache.org/repos/asf/syncope/blob/01e32d2d/core/spring/src/main/java/org/apache/syncope/core/spring/security/MustChangePasswordFilter.java
----------------------------------------------------------------------
diff --git a/core/spring/src/main/java/org/apache/syncope/core/spring/security/MustChangePasswordFilter.java
b/core/spring/src/main/java/org/apache/syncope/core/spring/security/MustChangePasswordFilter.java
index c901c0b..15ea6a9 100644
--- a/core/spring/src/main/java/org/apache/syncope/core/spring/security/MustChangePasswordFilter.java
+++ b/core/spring/src/main/java/org/apache/syncope/core/spring/security/MustChangePasswordFilter.java
@@ -25,7 +25,6 @@ import javax.servlet.FilterConfig;
 import javax.servlet.ServletException;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
-import org.apache.commons.lang3.ArrayUtils;
 import org.apache.syncope.common.lib.types.StandardEntitlement;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.core.context.SecurityContextHolder;
@@ -33,10 +32,6 @@ import org.springframework.security.web.servletapi.SecurityContextHolderAwareReq
 
 public class MustChangePasswordFilter implements Filter {
 
-    private static final String[] ALLOWED = new String[] {
-        "/users/self", "/users/self/changePassword"
-    };
-
     @Override
     public void init(final FilterConfig filterConfig) throws ServletException {
         // not used
@@ -58,8 +53,8 @@ public class MustChangePasswordFilter implements Filter {
 
             SecurityContextHolderAwareRequestWrapper wrapper =
                     SecurityContextHolderAwareRequestWrapper.class.cast(request);
-            if (isMustChangePassword && "GET".equalsIgnoreCase(wrapper.getMethod())
-                    && !ArrayUtils.contains(ALLOWED, wrapper.getPathInfo())) {
+            if (isMustChangePassword && !"POST".equalsIgnoreCase(wrapper.getMethod())
+                    && !"/users/self/changePassword".equals(wrapper.getPathInfo()))
{
 
                 throw new AccessDeniedException("Please change your password first");
             }
@@ -67,5 +62,4 @@ public class MustChangePasswordFilter implements Filter {
 
         chain.doFilter(request, response);
     }
-
 }

http://git-wip-us.apache.org/repos/asf/syncope/blob/01e32d2d/core/spring/src/main/java/org/apache/syncope/core/spring/security/SyncopeJWTSSOProvider.java
----------------------------------------------------------------------
diff --git a/core/spring/src/main/java/org/apache/syncope/core/spring/security/SyncopeJWTSSOProvider.java
b/core/spring/src/main/java/org/apache/syncope/core/spring/security/SyncopeJWTSSOProvider.java
index 08715e1..279cd6f 100644
--- a/core/spring/src/main/java/org/apache/syncope/core/spring/security/SyncopeJWTSSOProvider.java
+++ b/core/spring/src/main/java/org/apache/syncope/core/spring/security/SyncopeJWTSSOProvider.java
@@ -87,7 +87,7 @@ public class SyncopeJWTSSOProvider implements JWTSSOProvider {
         Set<SyncopeGrantedAuthority> authorities = Collections.emptySet();
         if (user != null) {
             AccessToken accessToken = accessTokenDAO.find(jwtClaims.getTokenId());
-            if (accessToken.getAuthorities() != null) {
+            if (accessToken != null && accessToken.getAuthorities() != null) {
                 try {
                     authorities = POJOHelper.deserialize(
                             ENCRYPTOR.decode(new String(accessToken.getAuthorities()), CipherAlgorithm.AES),

http://git-wip-us.apache.org/repos/asf/syncope/blob/01e32d2d/ext/saml2sp/client-console/src/main/java/org/apache/syncope/client/console/pages/SAML2SPLogin.java
----------------------------------------------------------------------
diff --git a/ext/saml2sp/client-console/src/main/java/org/apache/syncope/client/console/pages/SAML2SPLogin.java
b/ext/saml2sp/client-console/src/main/java/org/apache/syncope/client/console/pages/SAML2SPLogin.java
index 69f8294..d6b10c9 100644
--- a/ext/saml2sp/client-console/src/main/java/org/apache/syncope/client/console/pages/SAML2SPLogin.java
+++ b/ext/saml2sp/client-console/src/main/java/org/apache/syncope/client/console/pages/SAML2SPLogin.java
@@ -68,5 +68,4 @@ public class SAML2SPLogin extends WebPage {
         }
         strategy.remove();
     }
-
 }

http://git-wip-us.apache.org/repos/asf/syncope/blob/01e32d2d/fit/core-reference/src/test/java/org/apache/syncope/fit/core/UserSelfITCase.java
----------------------------------------------------------------------
diff --git a/fit/core-reference/src/test/java/org/apache/syncope/fit/core/UserSelfITCase.java
b/fit/core-reference/src/test/java/org/apache/syncope/fit/core/UserSelfITCase.java
index 63db20e..162cb88 100644
--- a/fit/core-reference/src/test/java/org/apache/syncope/fit/core/UserSelfITCase.java
+++ b/fit/core-reference/src/test/java/org/apache/syncope/fit/core/UserSelfITCase.java
@@ -57,7 +57,7 @@ import org.apache.syncope.common.lib.types.ClientExceptionType;
 import org.apache.syncope.common.lib.types.PatchOperation;
 import org.apache.syncope.common.rest.api.beans.AnyQuery;
 import org.apache.syncope.common.rest.api.beans.UserRequestFormQuery;
-import org.apache.syncope.common.rest.api.service.ResourceService;
+import org.apache.syncope.common.rest.api.service.AccessTokenService;
 import org.apache.syncope.common.rest.api.service.UserRequestService;
 import org.apache.syncope.common.rest.api.service.UserSelfService;
 import org.apache.syncope.common.rest.api.service.UserService;
@@ -377,10 +377,10 @@ public class UserSelfITCase extends AbstractITCase {
 
         // 0. access as vivaldi -> succeed
         SyncopeClient vivaldiClient = clientFactory.create("vivaldi", "password321");
-        Pair<Map<String, Set<String>>, UserTO> self = vivaldiClient.self();
-        assertFalse(self.getRight().isMustChangePassword());
+        Response response = vivaldiClient.getService(AccessTokenService.class).refresh();
+        assertEquals(Response.Status.NO_CONTENT.getStatusCode(), response.getStatus());
 
-        // 1. update user vivaldi (3) requirig password update
+        // 1. update user vivaldi requiring password update
         userPatch = new UserPatch();
         userPatch.setKey("b3cbc78d-32e6-4bd4-92e0-bbe07566a2ee");
         userPatch.setMustChangePassword(new BooleanReplacePatchItem.Builder().value(true).build());
@@ -389,7 +389,7 @@ public class UserSelfITCase extends AbstractITCase {
 
         // 2. attempt to access -> fail
         try {
-            vivaldiClient.getService(ResourceService.class).list();
+            vivaldiClient.self();
             fail("This should not happen");
         } catch (ForbiddenException e) {
             assertNotNull(e);
@@ -400,7 +400,7 @@ public class UserSelfITCase extends AbstractITCase {
         vivaldiClient.getService(UserSelfService.class).mustChangePassword("password123");
 
         // 4. verify it worked
-        self = clientFactory.create("vivaldi", "password123").self();
+        Pair<Map<String, Set<String>>, UserTO> self = clientFactory.create("vivaldi",
"password123").self();
         assertFalse(self.getRight().isMustChangePassword());
     }
 


Mime
View raw message