Task #1285
closedAvailable transformation for password
100%
Description
Please enable to use transformations for PASSWORD attribute.
We have usecases, when we need to encrypt password by a cipher that is not available in connector or connecotr does not support encryption at all.
This is valid request, but because transformations are not accessible for password, we have to use projspec processor and configuration, which is not a nice solution for this requirement.
Since admin who can works with systems agenda in IdM, can get passwords by editing connection options, making transformations available is not a major safety issue.
Consulted with Zdeněk.
Files
Related issues
Updated by Radek Tomiška over 5 years ago
- Is duplicate of Task #706: Call the transform script to resource for PASSWORD attribute added
Updated by Radek Tomiška over 5 years ago
- Target version deleted (
Morganite (9.2.0))
Updated by Ondřej Kopr over 5 years ago
- Status changed from New to In Progress
- Assignee changed from Zdeněk Burda to Ondřej Kopr
- Target version set to Onyx (9.3.0)
Updated by Ondřej Kopr over 5 years ago
Newly generated password and password change will be transformed via transformation script for PASSWORD.
Updated by Ondřej Kopr over 5 years ago
- Status changed from In Progress to Closed
Updated by Ondřej Kopr over 5 years ago
- Status changed from Closed to In Progress
Updated by Ondřej Kopr over 5 years ago
It must be created new configuration property: Is password (checkbox). This must be at system mapping and role mapping. For this attributes will be made password change and password generate.
All these attributes has same password.
Updated by Ondřej Kopr over 5 years ago
- % Done changed from 0 to 30
Transformation additional passwords and additional attributes during password changes is complete.
Transforamtion and password generation during create was updated. There is also transforation for additional password attributes.
Now is there problem with transformation from and to guarded string.
Still missing these things:- frontend,
- doc,
- tests,
- check green line.
Updated by Ondřej Kopr over 5 years ago
On frontend was created new checkbox "Password attribute". With the selecbox can be marked more mapped attributes. I also add some additional info into alert.
Updated by Ondřej Kopr over 5 years ago
- % Done changed from 30 to 60
The performance issue with filtering by schema was solved by add new attribute into provisioningAttributeDto (class type). Before send the attributes into facade this attribute will be transformed into string.
Updated by Ondřej Kopr over 5 years ago
- % Done changed from 60 to 70
Tests and documentation was created
doc: https://wiki.czechidm.com/tutorial/adm/password_provisioning
Now I fixing the issues with create connector object directly without transformation. There is problem with regenerate password for given password attributes
Updated by Ondřej Kopr over 5 years ago
- Status changed from In Progress to Needs feedback
- Assignee changed from Ondřej Kopr to Vít Švanda
- % Done changed from 70 to 90
- search in schema during provisioning was removed,
- flyway script with filtering by attribute mapping name was changed,
- streams was formated.
Please Vitek could you make a review? Thank you.
Doc: https://wiki.czechidm.com/tutorial/adm/password_provisioning
Commit: https://github.com/bcvsolutions/CzechIdMng/commit/3820e43a72fd0a06656b5c5924ec0685958b641b (branch develop)
Updated by Vít Švanda over 5 years ago
- Status changed from Needs feedback to In Progress
- Assignee changed from Vít Švanda to Ondřej Kopr
I did review and test. Works perfectly, thanks for that.
I found only two minor things:
- Overrided attribute on role cannot be created for attribute which is sets as "isPasswordAttribute", it's correct. Bad state occures when overrided attribute is created first and after that I unchecked "isPasswordAttribute" on main attribute.
- On change type of attribute (entity/EAV/is password) is idmProperty disabled, but still marked as required. This issue probebly was not created in this task, but please try to repair it.
Updated by Ondřej Kopr over 5 years ago
Petr Michal wrote:
I found bug in this feature (week old snapshot).
Password is checked by password policy after transformation. So if I have policy with special chacter and my transformated hash does not contains special character, than everythig look fine, but I have exception in log and password is not send to system.
Please provide error log from the password transformation, or password ggeneration. This seems like #1350, because in this ticket isn't change in password policy code. Give me some error log from application.
Today is last day for changes, so please be quick, if there is some new error I must repair this today.
Updated by Petr Michal over 5 years ago
----- HERE IS END OF TRANSFORMATION SCRIPT --- 2018-11-16 09:13:21.770 INFO 13 --- [nio-8080-exec-8] e.b.i.c.m.s.i.DefaultEntityEventManager : Publishing event [CoreEvent [type: UPDATE, content: eu.bcvsolutions.idm.acc.dto.SysProvisioningOperationDto [id= 45634db6-8a4b-4fc8-89f9-545b8836175d], properties: {}]] 2018-11-16 09:13:21.771 INFO 13 --- [nio-8080-exec-8] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [disabled-system-processor]([acc]) start for [CoreEvent [type: UPDATE, content: eu.bcvsolutions.idm.acc.dto.SysProvisioningOperationDto [id= 45634db6-8a4b-4fc8-89f9-545b8836175d], properties: {}]] with order [-5000]. 2018-11-16 09:13:21.772 INFO 13 --- [nio-8080-exec-8] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [disabled-system-processor]([acc]) end for [CoreEvent [type: UPDATE, content: eu.bcvsolutions.idm.acc.dto.SysProvisioningOperationDto [id= 45634db6-8a4b-4fc8-89f9-545b8836175d], properties: {}]] with order [-5000]. 2018-11-16 09:13:21.772 INFO 13 --- [nio-8080-exec-8] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [prepare-connector-object-processor]([acc]) start for [CoreEvent [type: UPDATE, content: eu.bcvsolutions.idm.acc.dto.SysProvisioningOperationDto [id= 45634db6-8a4b-4fc8-89f9-545b8836175d], properties: {}]] with order [-1000]. 16-Nov-2018 09:13:21.895 WARNING [http-nio-8080-exec-8] net.tirasa.connid.bundles.ldap.schema.LdapSchemaBuilder.addAttributeInfo(LdapSchemaBuilder.java:153) Could not find attribute subtreeSpecification in object classes [subentry, top] 2018-11-16 09:13:21.935 INFO 13 --- [nio-8080-exec-8] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [prepare-connector-object-processor]([acc]) end for [CoreEvent [type: UPDATE, content: eu.bcvsolutions.idm.acc.dto.SysProvisioningOperationDto [id= 45634db6-8a4b-4fc8-89f9-545b8836175d], properties: {}]] with order [-1000]. 2018-11-16 09:13:21.936 INFO 13 --- [nio-8080-exec-8] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [readonly-system-processor]([acc]) start for [CoreEvent [type: UPDATE, content: eu.bcvsolutions.idm.acc.dto.SysProvisioningOperationDto [id= 45634db6-8a4b-4fc8-89f9-545b8836175d], properties: {}]] with order [-500]. 2018-11-16 09:13:21.936 INFO 13 --- [nio-8080-exec-8] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [readonly-system-processor]([acc]) end for [CoreEvent [type: UPDATE, content: eu.bcvsolutions.idm.acc.dto.SysProvisioningOperationDto [id= 45634db6-8a4b-4fc8-89f9-545b8836175d], properties: {}]] with order [-500]. 2018-11-16 09:13:21.936 INFO 13 --- [nio-8080-exec-8] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [provisioning-break-processor]([acc]) start for [CoreEvent [type: UPDATE, content: eu.bcvsolutions.idm.acc.dto.SysProvisioningOperationDto [id= 45634db6-8a4b-4fc8-89f9-545b8836175d], properties: {}]] with order [-10]. 2018-11-16 09:13:21.938 INFO 13 --- [nio-8080-exec-8] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [provisioning-break-processor]([acc]) end for [CoreEvent [type: UPDATE, content: eu.bcvsolutions.idm.acc.dto.SysProvisioningOperationDto [id= 45634db6-8a4b-4fc8-89f9-545b8836175d], properties: {}]] with order [-10]. 2018-11-16 09:13:21.938 INFO 13 --- [nio-8080-exec-8] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [provisioning-update-processor]([acc]) start for [CoreEvent [type: UPDATE, content: eu.bcvsolutions.idm.acc.dto.SysProvisioningOperationDto [id= 45634db6-8a4b-4fc8-89f9-545b8836175d], properties: {}]] with order [0]. 16-Nov-2018 09:13:22.054 WARNING [http-nio-8080-exec-8] net.tirasa.connid.bundles.ldap.schema.LdapSchemaBuilder.addAttributeInfo(LdapSchemaBuilder.java:153) Could not find attribute subtreeSpecification in object classes [subentry, top] 2018-11-16 09:13:22.097 INFO 13 --- [nio-8080-exec-8] e.b.i.c.n.s.i.DefaultNotificationManager : Sending notification [eu.bcvsolutions.idm.core.notification.api.dto.IdmNotificationLogDto [id= 9a03ed10-44e5-4222-9f53-9f363aac3056]] 2018-11-16 09:13:22.099 INFO 13 --- [nio-8080-exec-8] c.n.s.i.DefaultConsoleNotificationSender : Sending notification to console [eu.bcvsolutions.idm.core.notification.api.dto.IdmNotificationLogDto [id= 9a03ed10-44e5-4222-9f53-9f363aac3056]] 2018-11-16 09:13:22.118 INFO 13 --- [nio-8080-exec-8] c.n.s.i.DefaultConsoleNotificationSender : Sending notification [eu.bcvsolutions.idm.core.notification.api.dto.IdmConsoleLogDto [id= null]] 2018-11-16 09:13:22.119 INFO 13 --- [nio-8080-exec-8] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [provisioning-update-processor]([acc]) end for [CoreEvent [type: UPDATE, content: eu.bcvsolutions.idm.acc.dto.SysProvisioningOperationDto [id= 45634db6-8a4b-4fc8-89f9-545b8836175d], properties: {}]] with order [0]. 2018-11-16 09:13:22.119 INFO 13 --- [nio-8080-exec-8] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [remove-processed-operation-processor]([acc]) start for [CoreEvent [type: UPDATE, content: eu.bcvsolutions.idm.acc.dto.SysProvisioningOperationDto [id= 45634db6-8a4b-4fc8-89f9-545b8836175d], properties: {}]] with order [5000]. 2018-11-16 09:13:22.150 INFO 13 --- [nio-8080-exec-8] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [remove-processed-operation-processor]([acc]) end for [CoreEvent [type: UPDATE, content: eu.bcvsolutions.idm.acc.dto.SysProvisioningOperationDto [id= 45634db6-8a4b-4fc8-89f9-545b8836175d], properties: {}]] with order [5000]. 2018-11-16 09:13:22.150 INFO 13 --- [nio-8080-exec-8] e.b.i.c.m.s.i.DefaultEntityEventManager : Event [CoreEvent [type: UPDATE, content: eu.bcvsolutions.idm.acc.dto.SysProvisioningOperationDto [id= 45634db6-8a4b-4fc8-89f9-545b8836175d], properties: {}]] is completed 2018-11-16 09:13:22.151 INFO 13 --- [nio-8080-exec-8] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [identity-password-provisioning-processor]([acc]) end for [IdentityEvent [type: PASSWORD, content: eu.bcvsolutions.idm.core.api.dto.IdmIdentityDto [code= ntlm.test.3], properties: {idm:password-change-dto=eu.bcvsolutions.idm.core.api.dto.PasswordChangeDto@13689075}]] with order [1000]. 2018-11-16 09:13:22.151 INFO 13 --- [nio-8080-exec-8] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [identity-password-change-notification]([core]) start for [IdentityEvent [type: PASSWORD, content: eu.bcvsolutions.idm.core.api.dto.IdmIdentityDto [code= ntlm.test.3], properties: {idm:password-change-dto=eu.bcvsolutions.idm.core.api.dto.PasswordChangeDto@13689075}]] with order [1500]. 2018-11-16 09:13:22.166 INFO 13 --- [nio-8080-exec-8] e.b.i.c.n.s.i.DefaultNotificationManager : Sending notification [eu.bcvsolutions.idm.core.notification.api.dto.IdmNotificationLogDto [id= cfabcbf4-912f-472d-8e7c-c7d832701c00]] 2018-11-16 09:13:22.168 INFO 13 --- [nio-8080-exec-8] i.c.n.s.i.DefaultEmailNotificationSender : Adding email notification to queue [eu.bcvsolutions.idm.core.notification.api.dto.IdmNotificationLogDto [id= cfabcbf4-912f-472d-8e7c-c7d832701c00]] 2018-11-16 09:13:22.189 INFO 13 --- [nio-8080-exec-8] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [identity-password-change-notification]([core]) end for [IdentityEvent [type: PASSWORD, content: eu.bcvsolutions.idm.core.api.dto.IdmIdentityDto [code= ntlm.test.3], properties: {idm:password-change-dto=eu.bcvsolutions.idm.core.api.dto.PasswordChangeDto@13689075}]] with order [1500]. 2018-11-16 09:13:22.189 INFO 13 --- [nio-8080-exec-8] e.b.i.c.m.s.i.DefaultEntityEventManager : Event [IdentityEvent [type: PASSWORD, content: eu.bcvsolutions.idm.core.api.dto.IdmIdentityDto [code= ntlm.test.3], properties: {idm:password-change-dto=eu.bcvsolutions.idm.core.api.dto.PasswordChangeDto@13689075}]] is completed 2018-11-16 09:13:22.201 INFO 13 --- [nio-8080-exec-8] e.b.i.c.n.service.impl.DefaultEmailer : Test mode for emailer is enabled. Email [eu.bcvsolutions.idm.core.notification.api.dto.IdmEmailLogDto [id= b5547f8e-725b-4180-a661-c8c17f9db7fe]] will be logged only. 2018-11-16 09:13:22.287 INFO 13 --- [nio-8080-exec-2] e.b.i.c.m.s.i.DefaultEntityEventManager : Publishing event [PasswordChangeEvent [type: PASSWORD_PREVALIDATION, content: eu.bcvsolutions.idm.core.api.dto.PasswordChangeDto@598fe4b0, properties: {}]] 2018-11-16 09:13:22.288 INFO 13 --- [nio-8080-exec-2] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [identity-password-pre-validate-definition-processor-acc]([acc]) start for [PasswordChangeEvent [type: PASSWORD_PREVALIDATION, content: eu.bcvsolutions.idm.core.api.dto.PasswordChangeDto@598fe4b0, properties: {}]] with order [-10]. 2018-11-16 09:13:22.299 ERROR 13 --- [nio-8080-exec-2] e.b.i.c.a.e.AbstractEntityEventProcessor : [core:PASSWORD_PREVALIDATION:b9f98a3d-db52-4e8b-93a8-1166e498da7f] Password does not match password policy: 1 ({minUpperChar=1, minLength=5, minLowerChar=1, specialCharacterBase={Default=!@#$%&*}, minSpecialChar=1}) eu.bcvsolutions.idm.core.api.exception.ResultCodeException: Password does not match password policy: 1 at eu.bcvsolutions.idm.core.model.service.impl.DefaultIdmPasswordPolicyService.validate(DefaultIdmPasswordPolicyService.java:489) at eu.bcvsolutions.idm.core.model.service.impl.DefaultIdmPasswordPolicyService.preValidate(DefaultIdmPasswordPolicyService.java:282) at eu.bcvsolutions.idm.core.model.service.impl.DefaultIdmPasswordPolicyService$$FastClassBySpringCGLIB$$f90f724f.invoke(<generated>) at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:651) at eu.bcvsolutions.idm.core.model.service.impl.DefaultIdmPasswordPolicyService$$EnhancerBySpringCGLIB$$aa0edcdd.preValidate(<generated>) at eu.bcvsolutions.idm.acc.event.processor.IdentityPasswordPreValidateDefinitionProcessor.process(IdentityPasswordPreValidateDefinitionProcessor.java:64) at eu.bcvsolutions.idm.core.api.event.AbstractEntityEventProcessor.onApplicationEvent(AbstractEntityEventProcessor.java:237) at eu.bcvsolutions.idm.core.api.event.AbstractEntityEventProcessor$$FastClassBySpringCGLIB$$df69624d.invoke(<generated>) at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:720) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157) at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:92) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179) at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:655) at eu.bcvsolutions.idm.acc.event.processor.IdentityPasswordPreValidateDefinitionProcessor$$EnhancerBySpringCGLIB$$3581702b.onApplicationEvent(<generated>) at org.springframework.context.event.SimpleApplicationEventMulticaster.invokeListener(SimpleApplicationEventMulticaster.java:166) at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:138) at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:381) at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:348) at eu.bcvsolutions.idm.core.model.service.impl.DefaultEntityEventManager.process(DefaultEntityEventManager.java:222) at eu.bcvsolutions.idm.core.model.service.impl.DefaultEntityEventManager.process(DefaultEntityEventManager.java:156) at eu.bcvsolutions.idm.core.model.service.impl.DefaultEntityEventManager$$FastClassBySpringCGLIB$$1694e58f.invoke(<generated>) at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:651) at eu.bcvsolutions.idm.core.model.service.impl.DefaultEntityEventManager$$EnhancerBySpringCGLIB$$e3013e9d.process(<generated>) at eu.bcvsolutions.idm.core.model.service.impl.DefaultIdmIdentityService.validatePassword(DefaultIdmIdentityService.java:508) at eu.bcvsolutions.idm.core.model.service.impl.DefaultIdmIdentityService$$FastClassBySpringCGLIB$$8401595e.invoke(<generated>) at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:651) at eu.bcvsolutions.idm.core.model.service.impl.DefaultIdmIdentityService$$EnhancerBySpringCGLIB$$a7e9f36a.validatePassword(<generated>) at eu.bcvsolutions.idm.core.rest.impl.PasswordChangeController.validate(PasswordChangeController.java:147) at sun.reflect.GeneratedMethodAccessor1585.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:221) at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:136) at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:110) at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:832) at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:743) at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:85) at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:961) at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:895) at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:967) at org.springframework.web.servlet.FrameworkServlet.doPut(FrameworkServlet.java:880) at javax.servlet.http.HttpServlet.service(HttpServlet.java:664) at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:843) at javax.servlet.http.HttpServlet.service(HttpServlet.java:742) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at eu.bcvsolutions.idm.core.security.auth.filter.ExtendExpirationFilter.doFilter(ExtendExpirationFilter.java:67) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at eu.bcvsolutions.idm.core.security.api.auth.filter.AuthenticationFilter.doFilter(AuthenticationFilter.java:61) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:316) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:126) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:114) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:122) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:169) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:48) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) at eu.bcvsolutions.idm.core.security.auth.filter.ExtendExpirationFilter.doFilter(ExtendExpirationFilter.java:67) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) at eu.bcvsolutions.idm.core.security.api.auth.filter.AuthenticationFilter.doFilter(AuthenticationFilter.java:61) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:120) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:89) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:77) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:121) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.springframework.boot.context.web.ErrorPageFilter.doFilter(ErrorPageFilter.java:120) at org.springframework.boot.context.web.ErrorPageFilter.access$000(ErrorPageFilter.java:61) at org.springframework.boot.context.web.ErrorPageFilter$1.doFilterInternal(ErrorPageFilter.java:95) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.springframework.boot.context.web.ErrorPageFilter.doFilter(ErrorPageFilter.java:113) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.springframework.web.filter.CorsFilter.doFilterInternal(CorsFilter.java:96) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:800) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1471) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748)
Updated by Ondřej Kopr over 5 years ago
- File pass01.png pass01.png added
- File pass00.png pass00.png added
- File pass001.png pass001.png added
- File pass002.png pass002.png added
- File pass03.png pass03.png added
- File pass05.png pass05.png added
- File pass04.png pass04.png added
- File pass06.png pass06.png added
- File pass07.png pass07.png added
It is little bit longer detective work but I resolve it. I checked current develop version and your 1 week old version. Both version works correctly.
Situation (both versions works same):- on system is active password validation policy with required special characters,
- in password transformation is script that change password (after transformation, password will not passed by validation password policy for system)
- i change password for identity that has account on the system, password doesn't met password policy = password wasn't send, on frontend was shown error:
- i change password for same identity with passed password
- password was correctly sended, try check your system
- error that you see in log is from prevalidation controller and it's not from validation during script transformation or etc, but from frontend component. Because after success password change is all input removed and password prevalidation is done again with empty string
The all beahvior password transformation works correctly and well. Your problem is in prevalidation.
Updated by Radek Tomiška over 5 years ago
I don't see any issue - prevalidation works correctly - you need to see 'Hint for a new password', when password form is refreshed, so prevalidation has to be called.
Updated by Ondřej Kopr over 5 years ago
- Status changed from In Progress to Needs feedback
- Assignee changed from Ondřej Kopr to Vít Švanda
Vít Švanda wrote:
Thanks for feedback, I fixed these things:I did review and test. Works perfectly, thanks for that.
I found only two minor things:
- Overrided attribute on role cannot be created for attribute which is sets as "isPasswordAttribute", it's correct. Bad state occures when overrided attribute is created first and after that I unchecked "isPasswordAttribute" on main attribute.
- On change type of attribute (entity/EAV/is password) is idmProperty disabled, but still marked as required. This issue probebly was not created in this task, but please try to repair it.
- Set password attribute for overridden attributes in role mapping isn't possible now,
- required field for readOnly attribute in attribute mapping detail was fixed,
- automatic check attributePassword for PASSWORD attribute (only in one way),
- update documentation with double provisioning during password change
Commit: https://github.com/bcvsolutions/CzechIdMng/commit/e09aad63a48c765d4454284ef764be0dbe83c686 (branch develop)
Please Vitek could you make a second feedback? Thank you.
Updated by Vít Švanda over 5 years ago
- Status changed from Needs feedback to Resolved
- Assignee changed from Vít Švanda to Ondřej Kopr
I did retest and everything works fine. Thanks for that.
Updated by Ondřej Kopr over 5 years ago
- Status changed from Resolved to Closed
- % Done changed from 90 to 100