Users Can't Save Answers to Security Questions

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Users Can't Save Answers to Security Questions

Terrance A. Crow
I’m having an issue with both Syncope 2.0.1 and Syncope 2.0.2 where the end-users can’t save their answers to security questions.

Steps to recreate:

1. Using syncope-console as admin, create a security question.
2. Log in to syncope-enduser as a normal (non-admin) user. Select the new security question, specify an answer, click on Finish, click on Save, and enter the correct captcha information.
3. Log back on using the same ID to syncope-enduser and observe that the answer to the security question is blank.
4. Log into syncope-console as admin, add the security answer to the USER Search screen, and observe a blank answer for the user in question.

The ID’s the result of a self-registration.

Syncope’s running on CentOS 7 (patched to current) under Oracle Java JDK 1.8.0_121. The Tomcat version is 8.0.41.

I found a similar condition in Jira (SYNCOPE-942), but it’s not an exact match and that issue’s closed.

Am I missing something obvious?

Thanks in advance for any help!
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Users Can't Save Answers to Security Questions

ilgrosso
Administrator
Hi,
welcome to Syncope.

You'll find my comments embedded below.
Regards.

On 03/03/2017 01:20, Terrance A. Crow wrote:
> I’m having an issue with both Syncope 2.0.1 and Syncope 2.0.2 where the end-users can’t save their answers to security questions.
>
> Steps to recreate:
>
> 1. Using syncope-console as admin, create a security question.
> 2. Log in to syncope-enduser as a normal (non-admin) user. Select the new security question, specify an answer, click on Finish, click on Save, and enter the correct captcha information.
> 3. Log back on using the same ID to syncope-enduser and observe that the answer to the security question is blank.
> 4. Log into syncope-console as admin, add the security answer to the USER Search screen, and observe a blank answer for the user in question.

Once set, the security answer is *never* reported, neither in Admin
Console nor in Enduser UI, to avoid potential security issues.
I have just added a note to the SNAPSHOT reference guide [1]: this
version will replace [2] once next release (2.0.3) will be out.
Thanks for reporting!

The password reset process, however, is not working properly until the
latest fixes already available in 2.0.3-SNAPSHOT, that will be publicly
available (alongside with others) with Syncope 2.0.3.

> The ID’s the result of a self-registration.
>
> Syncope’s running on CentOS 7 (patched to current) under Oracle Java JDK 1.8.0_121. The Tomcat version is 8.0.41.
>
> I found a similar condition in Jira (SYNCOPE-942), but it’s not an exact match and that issue’s closed.
>
> Am I missing something obvious?

[1]
https://ci.apache.org/projects/syncope/reference-guide.html#password-reset-no-security-answer
[2] https://syncope.apache.org/docs/reference-guide.html#password-reset

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Users Can't Save Answers to Security Questions

Terrance A. Crow
Thank you! I really appreciate the quick and thorough answer!

I’ll focus on other areas until 2.0.3 comes out. It’s a relief knowing a fix is on the way!

Thanks again.


> On Mar 3, 2017, at 2:28 AM, Francesco Chicchiriccò <[hidden email]> wrote:
>
> Hi,
> welcome to Syncope.
>
> You'll find my comments embedded below.
> Regards.
>
> On 03/03/2017 01:20, Terrance A. Crow wrote:
>> I’m having an issue with both Syncope 2.0.1 and Syncope 2.0.2 where the end-users can’t save their answers to security questions.
>>
>> Steps to recreate:
>>
>> 1. Using syncope-console as admin, create a security question.
>> 2. Log in to syncope-enduser as a normal (non-admin) user. Select the new security question, specify an answer, click on Finish, click on Save, and enter the correct captcha information.
>> 3. Log back on using the same ID to syncope-enduser and observe that the answer to the security question is blank.
>> 4. Log into syncope-console as admin, add the security answer to the USER Search screen, and observe a blank answer for the user in question.
>
> Once set, the security answer is *never* reported, neither in Admin Console nor in Enduser UI, to avoid potential security issues.
> I have just added a note to the SNAPSHOT reference guide [1]: this version will replace [2] once next release (2.0.3) will be out.
> Thanks for reporting!
>
> The password reset process, however, is not working properly until the latest fixes already available in 2.0.3-SNAPSHOT, that will be publicly available (alongside with others) with Syncope 2.0.3.
>
>> The ID’s the result of a self-registration.
>>
>> Syncope’s running on CentOS 7 (patched to current) under Oracle Java JDK 1.8.0_121. The Tomcat version is 8.0.41.
>>
>> I found a similar condition in Jira (SYNCOPE-942), but it’s not an exact match and that issue’s closed.
>>
>> Am I missing something obvious?
>
> [1] https://ci.apache.org/projects/syncope/reference-guide.html#password-reset-no-security-answer
> [2] https://syncope.apache.org/docs/reference-guide.html#password-reset
>
> --
> Francesco Chicchiriccò
>
> Tirasa - Open Source Excellence
> http://www.tirasa.net/
>
> Member at The Apache Software Foundation
> Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
> http://home.apache.org/~ilgrosso/
>

Loading...