Password reset procedure from enduser interface

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Password reset procedure from enduser interface

Tech
Hello,

we faced something that could be a bug in version 2.0.1 and version 2.0.2.

We created a SecurityQuestion from the Admin interface and the user is
prompted to enter one during the creation of his account.

The SecurityQuestion is correctly stored into the DB.

We "forget" the password and we try to recover it using the interface,
but we cannot reset it.

This is happening both for existing and new users.

Could you please double-check?

Thanks,

Mária
Reply | Threaded
Open this post in threaded view
|

Re: Password reset procedure from enduser interface

ilgrosso
Administrator
On 18/01/2017 11:38, Tech wrote:

> Hello,
>
> we faced something that could be a bug in version 2.0.1 and version 2.0.2.
>
> We created a SecurityQuestion from the Admin interface and the user is
> prompted to enter one during the creation of his account.
>
> The SecurityQuestion is correctly stored into the DB.
>
> We "forget" the password and we try to recover it using the interface,
> but we cannot reset it.
>
> This is happening both for existing and new users.
>
> Could you please double-check?

I assume you have already checked

https://syncope.apache.org/docs/reference-guide.html#password-reset

to understand how the password reset process is expected to work.

Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Reply | Threaded
Open this post in threaded view
|

Re: Password reset procedure from enduser interface

ilgrosso
Administrator
On 18/01/2017 11:59, Francesco Chicchiriccò wrote:

> On 18/01/2017 11:38, Tech wrote:
>> Hello,
>>
>> we faced something that could be a bug in version 2.0.1 and version
>> 2.0.2.
>>
>> We created a SecurityQuestion from the Admin interface and the user is
>> prompted to enter one during the creation of his account.
>>
>> The SecurityQuestion is correctly stored into the DB.
>>
>> We "forget" the password and we try to recover it using the interface,
>> but we cannot reset it.
>>
>> This is happening both for existing and new users.
>>
>> Could you please double-check?
>
> I assume you have already checked
>
> https://syncope.apache.org/docs/reference-guide.html#password-reset
>
> to understand how the password reset process is expected to work.

A fundamental part for the outlined procedure to be effective, is to
have the notifications in place; see

https://syncope.apache.org/docs/reference-guide.html#e-mail-configuration

for details.

After that user has provided the correct answer to security question via
EndUser UI, a notification e-mail based on the 'requestPasswordReset'
template is sent; as you can see from the template, an URL for accessing
the EndUser UI (containing the unique token generated for such request)
is contained in the e-mail.

Once clicked there, the process can continue with input of the new
password value.

Finally, another notification e-mail based on the 'confirmPasswordReset'
template is sent out.

HTH
Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Reply | Threaded
Open this post in threaded view
|

Re: Password reset procedure from enduser interface

ilgrosso
Administrator
On 18/01/2017 14:13, Francesco Chicchiriccò wrote:

> On 18/01/2017 11:59, Francesco Chicchiriccò wrote:
>> On 18/01/2017 11:38, Tech wrote:
>>> Hello,
>>>
>>> we faced something that could be a bug in version 2.0.1 and version
>>> 2.0.2.
>>>
>>> We created a SecurityQuestion from the Admin interface and the user is
>>> prompted to enter one during the creation of his account.
>>>
>>> The SecurityQuestion is correctly stored into the DB.
>>>
>>> We "forget" the password and we try to recover it using the interface,
>>> but we cannot reset it.
>>>
>>> This is happening both for existing and new users.
>>>
>>> Could you please double-check?
>>
>> I assume you have already checked
>>
>> https://syncope.apache.org/docs/reference-guide.html#password-reset
>>
>> to understand how the password reset process is expected to work.
>
> A fundamental part for the outlined procedure to be effective, is to
> have the notifications in place; see
>
> https://syncope.apache.org/docs/reference-guide.html#e-mail-configuration
>
> for details.
>
> After that user has provided the correct answer to security question
> via EndUser UI, a notification e-mail based on the
> 'requestPasswordReset' template is sent; as you can see from the
> template, an URL for accessing the EndUser UI (containing the unique
> token generated for such request) is contained in the e-mail.
>
> Once clicked there, the process can continue with input of the new
> password value.
>
> Finally, another notification e-mail based on the
> 'confirmPasswordReset' template is sent out.

FYI I have updated the password reset information with the further
comments above; see

https://ci.apache.org/projects/syncope/reference-guide.html#password-reset

Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Reply | Threaded
Open this post in threaded view
|

Re: Password reset procedure from enduser interface

Tech
Hello Francesco,

Thanks for your update, we created the notification in the parameters and the template, but we get stuck before the point you were describing:

We went through the procedure, the user creates his own account, with an email and a password.

For simplicity, we created only one security question.

Once he forget the password, he comes back to the EndUser interface and he request to insert the challenge answer.

Even if the challenge answer is correct (and I can check that it's correctly stored into the database), we receive an error saying:


18:44:20.883 ERROR org.apache.syncope.client.enduser.resources.UserSelfPasswordReset - Error while updating user
java.lang.Exception: A correct security answer should be provided
        at org.apache.syncope.client.enduser.resources.UserSelfPasswordReset.newResourceResponse(UserSelfPasswordReset.java:76) ~[syncope-client-enduser-2.0.2.jar:2.0.2]
        at org.apache.wicket.request.resource.AbstractResource.respond(AbstractResource.java:629) ~[wicket-core-7.6.0.jar:7.6.0]
        at org.apache.wicket.request.handler.resource.ResourceRequestHandler.respond(ResourceRequestHandler.java:105) ~[wicket-core-7.6.0.jar:7.6.0]
        at org.apache.wicket.request.handler.resource.ResourceReferenceRequestHandler.respond(ResourceReferenceRequestHandler.java:108) ~[wicket-core-7.6.0.jar:7.6.0]
        at org.apache.wicket.request.cycle.RequestCycle$HandlerExecutor.respond(RequestCycle.java:895) ~[wicket-core-7.6.0.jar:7.6.0]
        at org.apache.wicket.request.RequestHandlerStack.execute(RequestHandlerStack.java:64) ~[wicket-request-7.6.0.jar:7.6.0]
        at org.apache.wicket.request.cycle.RequestCycle.execute(RequestCycle.java:265) ~[wicket-core-7.6.0.jar:7.6.0]
        at org.apache.wicket.request.cycle.RequestCycle.processRequest(RequestCycle.java:222) ~[wicket-core-7.6.0.jar:7.6.0]
        at org.apache.wicket.request.cycle.RequestCycle.processRequestAndDetach(RequestCycle.java:293) ~[wicket-core-7.6.0.jar:7.6.0]
        at org.apache.wicket.protocol.http.WicketFilter.processRequestCycle(WicketFilter.java:261) ~[wicket-core-7.6.0.jar:7.6.0]
        at org.apache.wicket.protocol.http.WicketFilter.processRequest(WicketFilter.java:203) ~[wicket-core-7.6.0.jar:7.6.0]
        at org.apache.wicket.protocol.http.WicketFilter.doFilter(WicketFilter.java:284) ~[wicket-core-7.6.0.jar:7.6.0]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) ~[catalina.jar:8.0.39]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) ~[catalina.jar:8.0.39]
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212) ~[catalina.jar:8.0.39]
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106) ~[catalina.jar:8.0.39]
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502) ~[catalina.jar:8.0.39]
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141) ~[catalina.jar:8.0.39]
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) ~[catalina.jar:8.0.39]
        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616) ~[catalina.jar:8.0.39]
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) ~[catalina.jar:8.0.39]
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:509) ~[catalina.jar:8.0.39]
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1104) ~[tomcat-coyote.jar:8.0.39]
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684) ~[tomcat-coyote.jar:8.0.39]
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1520) ~[tomcat-coyote.jar:8.0.39]
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1476) ~[tomcat-coyote.jar:8.0.39]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_111]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_111]
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-util.jar:8.0.39]
        at java.lang.Thread.run(Thread.java:745) [?:1.8.0_111]



But we know that the challenge answer is correct and all in lowercase like in the database, I can't understand why it doesn't find the correct value.

Thanks,

Mária






On 19/01/2017 11:22, Francesco Chicchiriccò wrote:
On 18/01/2017 14:13, Francesco Chicchiriccò wrote:
On 18/01/2017 11:59, Francesco Chicchiriccò wrote:
On 18/01/2017 11:38, Tech wrote:
Hello,

we faced something that could be a bug in version 2.0.1 and version 2.0.2.

We created a SecurityQuestion from the Admin interface and the user is
prompted to enter one during the creation of his account.

The SecurityQuestion is correctly stored into the DB.

We "forget" the password and we try to recover it using the interface,
but we cannot reset it.

This is happening both for existing and new users.

Could you please double-check?

I assume you have already checked

https://syncope.apache.org/docs/reference-guide.html#password-reset

to understand how the password reset process is expected to work.

A fundamental part for the outlined procedure to be effective, is to have the notifications in place; see

https://syncope.apache.org/docs/reference-guide.html#e-mail-configuration

for details.

After that user has provided the correct answer to security question via EndUser UI, a notification e-mail based on the 'requestPasswordReset' template is sent; as you can see from the template, an URL for accessing the EndUser UI (containing the unique token generated for such request) is contained in the e-mail.

Once clicked there, the process can continue with input of the new password value.

Finally, another notification e-mail based on the 'confirmPasswordReset' template is sent out.

FYI I have updated the password reset information with the further comments above; see

https://ci.apache.org/projects/syncope/reference-guide.html#password-reset

Regards.


Reply | Threaded
Open this post in threaded view
|

Re: Password reset procedure from enduser interface

ilgrosso
Administrator
In reply to this post by Tech
On 13/02/2017 18:59, Tech wrote:
Hello Francesco,

Thanks for your update, we created the notification in the parameters and the template, but we get stuck before the point you were describing:

We went through the procedure, the user creates his own account, with an email and a password.

For simplicity, we created only one security question.

Once he forget the password, he comes back to the EndUser interface and he request to insert the challenge answer.

Even if the challenge answer is correct (and I can check that it's correctly stored into the database), we receive an error saying:


18:44:20.883 ERROR org.apache.syncope.client.enduser.resources.UserSelfPasswordReset - Error while updating user
java.lang.Exception: A correct security answer should be provided
        at org.apache.syncope.client.enduser.resources.UserSelfPasswordReset.newResourceResponse(UserSelfPasswordReset.java:76) ~[syncope-client-enduser-2.0.2.jar:2.0.2]
[...]


But we know that the challenge answer is correct and all in lowercase like in the database, I can't understand why it doesn't find the correct value.

Yes, there are a couple of bugs, already fixed with 2.0.3-SNAPSHOT:

https://issues.apache.org/jira/browse/SYNCOPE-1012
https://issues.apache.org/jira/browse/SYNCOPE-1013

I think you'd better move to 2.0.3-SNAPSHOT for your tests.
Regards.

On 19/01/2017 11:22, Francesco Chicchiriccò wrote:
On 18/01/2017 14:13, Francesco Chicchiriccò wrote:
On 18/01/2017 11:59, Francesco Chicchiriccò wrote:
On 18/01/2017 11:38, Tech wrote:
Hello,

we faced something that could be a bug in version 2.0.1 and version 2.0.2.

We created a SecurityQuestion from the Admin interface and the user is
prompted to enter one during the creation of his account.

The SecurityQuestion is correctly stored into the DB.

We "forget" the password and we try to recover it using the interface,
but we cannot reset it.

This is happening both for existing and new users.

Could you please double-check?

I assume you have already checked

https://syncope.apache.org/docs/reference-guide.html#password-reset

to understand how the password reset process is expected to work.

A fundamental part for the outlined procedure to be effective, is to have the notifications in place; see

https://syncope.apache.org/docs/reference-guide.html#e-mail-configuration

for details.

After that user has provided the correct answer to security question via EndUser UI, a notification e-mail based on the 'requestPasswordReset' template is sent; as you can see from the template, an URL for accessing the EndUser UI (containing the unique token generated for such request) is contained in the e-mail.

Once clicked there, the process can continue with input of the new password value.

Finally, another notification e-mail based on the 'confirmPasswordReset' template is sent out.

FYI I have updated the password reset information with the further comments above; see

https://ci.apache.org/projects/syncope/reference-guide.html#password-reset

Regards.
-- 
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/