syncope-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colm O hEigeartaigh (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SYNCOPE-939) Password history not checked when user changes password
Date Tue, 13 Sep 2016 11:33:20 GMT

    [ https://issues.apache.org/jira/browse/SYNCOPE-939?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15486981#comment-15486981
] 

Colm O hEigeartaigh commented on SYNCOPE-939:
---------------------------------------------

This bug is also present when resetting the password via the REST API, the following reset
works even though it should fail as "password1" is in the password history of the user:

 String address = "http://localhost:9080/syncope/rest/";
        SyncopeClientFactoryBean clientFactory = new SyncopeClientFactoryBean().setAddress(address);
        
        SyncopeClient authClient = clientFactory.create("alice", "password2");
        UserTO read = authClient.getService(UserSelfService.class).read();
        
        SyncopeClient anonClient = clientFactory.createAnonymous();
        UserSelfService userSelfService = anonClient.getService(UserSelfService.class);
        userSelfService.requestPasswordReset("alice", "xyz");
        
        SyncopeClient adminClient = clientFactory.create("admin", "password");
        UserService userService = adminClient.getService(UserService.class);
        String token = userService.read(read.getId()).getToken();
        
        anonClient.getService(UserSelfService.class).confirmPasswordReset(token, "password1");

> Password history not checked when user changes password
> -------------------------------------------------------
>
>                 Key: SYNCOPE-939
>                 URL: https://issues.apache.org/jira/browse/SYNCOPE-939
>             Project: Syncope
>          Issue Type: Bug
>    Affects Versions: 1.2.8
>            Reporter: Colm O hEigeartaigh
>             Fix For: 1.2.9
>
>
> When a user changes his/her password via the Console, the password history does not appear
to be checked. It is only checked when the admin user changes the password. This bug does
not appear to be present in the enduser application of Syncope 2.0.0.
> Steps to reproduce (Syncope 1.2.8):
> 1) Log onto the console as "admin". 
> 2) Change the global password policy to have a history of "10".
> 3) Now create a new user "alice" with password "password1" and save.
> 4) Edit "alice" (again as "admin") and change the password to "password2" and save.
> 5) Edit "alice" (again as "admin") and try to change the password back to "password1"
-> this should fail.
> 6) Logout and log back in as "alice"/"password2".
> 7) Click on "alice" and change the password back to "password1".
> 8) It displays no error message and "alice" can log back in with "password1" after logging
out.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message