Project

General

Profile

Actions
Copy link

Task #1285

closed

Available transformation for password

Added by Petr Michal over 5 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Ondřej Kopr
Category:
Password
Target version:
Onyx (9.3.0)
Start date:
10/03/2018
Due date:
% Done:

100%

Estimated time:
Owner:

Description

Please enable to use transformations for PASSWORD attribute.

We have usecases, when we need to encrypt password by a cipher that is not available in connector or connecotr does not support encryption at all.
This is valid request, but because transformations are not accessible for password, we have to use projspec processor and configuration, which is not a nice solution for this requirement.

Since admin who can works with systems agenda in IdM, can get passwords by editing connection options, making transformations available is not a major safety issue.

Consulted with Zdeněk.

Files

Download all files
pass01.png (38.1 KB) pass01.png Ondřej Kopr, 11/16/2018 09:31 AM
pass00.png (23 KB) pass00.png Ondřej Kopr, 11/16/2018 09:32 AM
pass001.png (2.98 KB) pass001.png Ondřej Kopr, 11/16/2018 09:34 AM
pass002.png (11 KB) pass002.png Ondřej Kopr, 11/16/2018 09:35 AM
pass03.png (34.3 KB) pass03.png Ondřej Kopr, 11/16/2018 09:38 AM
pass05.png (22.7 KB) pass05.png Ondřej Kopr, 11/16/2018 09:39 AM
pass04.png (8.03 KB) pass04.png Ondřej Kopr, 11/16/2018 09:40 AM
pass06.png (32 KB) pass06.png Ondřej Kopr, 11/16/2018 09:48 AM
pass07.png (31.8 KB) pass07.png Ondřej Kopr, 11/16/2018 09:49 AM

Related issues

Is duplicate of IdStory Identity Manager - Task #706: Call the transform script to resource for PASSWORD attributeClosedOndřej Kopr09/18/2017

Actions
Actions
Copy link
 #2

Updated by Radek Tomiška over 5 years ago

  • Is duplicate of Task #706: Call the transform script to resource for PASSWORD attribute added
Actions
Copy link
 #3

Updated by Radek Tomiška over 5 years ago

  • Target version deleted (Morganite (9.2.0))
Actions
Copy link
 #4

Updated by Ondřej Kopr over 5 years ago

  • Status changed from New to In Progress
  • Assignee changed from Zdeněk Burda to Ondřej Kopr
  • Target version set to Onyx (9.3.0)
Actions
Copy link
 #5

Updated by Ondřej Kopr over 5 years ago

Newly generated password and password change will be transformed via transformation script for PASSWORD.

Actions
Copy link
 #6

Updated by Ondřej Kopr over 5 years ago

  • Status changed from In Progress to Closed
Actions
Copy link
 #7

Updated by Ondřej Kopr over 5 years ago

  • Status changed from Closed to In Progress
Actions
Copy link
 #8

Updated by Ondřej Kopr over 5 years ago

It must be created new configuration property: Is password (checkbox). This must be at system mapping and role mapping. For this attributes will be made password change and password generate.

All these attributes has same password.

Actions
Copy link
 #9

Updated by Ondřej Kopr over 5 years ago

  • % Done changed from 0 to 30

Transformation additional passwords and additional attributes during password changes is complete.

Transforamtion and password generation during create was updated. There is also transforation for additional password attributes.

Now is there problem with transformation from and to guarded string.

Still missing these things:
  • frontend,
  • doc,
  • tests,
  • check green line.
Actions
Copy link
 #10

Updated by Ondřej Kopr over 5 years ago

On frontend was created new checkbox "Password attribute". With the selecbox can be marked more mapped attributes. I also add some additional info into alert.

Actions
Copy link
 #11

Updated by Ondřej Kopr over 5 years ago

  • % Done changed from 30 to 60

The performance issue with filtering by schema was solved by add new attribute into provisioningAttributeDto (class type). Before send the attributes into facade this attribute will be transformed into string.

Actions
Copy link
 #12

Updated by Ondřej Kopr over 5 years ago

  • % Done changed from 60 to 70

Tests and documentation was created

doc: https://wiki.czechidm.com/tutorial/adm/password_provisioning

Now I fixing the issues with create connector object directly without transformation. There is problem with regenerate password for given password attributes

Actions
Copy link
 #13

Updated by Ondřej Kopr over 5 years ago

  • Status changed from In Progress to Needs feedback
  • Assignee changed from Ondřej Kopr to Vít Švanda
  • % Done changed from 70 to 90
I fixed directly given feedback from Vitek:
  • search in schema during provisioning was removed,
  • flyway script with filtering by attribute mapping name was changed,
  • streams was formated.

Please Vitek could you make a review? Thank you.

Doc: https://wiki.czechidm.com/tutorial/adm/password_provisioning
Commit: https://github.com/bcvsolutions/CzechIdMng/commit/3820e43a72fd0a06656b5c5924ec0685958b641b (branch develop)

Actions
Copy link
 #14

Updated by Vít Švanda over 5 years ago

  • Status changed from Needs feedback to In Progress
  • Assignee changed from Vít Švanda to Ondřej Kopr

I did review and test. Works perfectly, thanks for that.

I found only two minor things:

  • Overrided attribute on role cannot be created for attribute which is sets as "isPasswordAttribute", it's correct. Bad state occures when overrided attribute is created first and after that I unchecked "isPasswordAttribute" on main attribute.
  • On change type of attribute (entity/EAV/is password) is idmProperty disabled, but still marked as required. This issue probebly was not created in this task, but please try to repair it.
Actions
Copy link
 #16

Updated by Ondřej Kopr over 5 years ago

Petr Michal wrote:

I found bug in this feature (week old snapshot).
Password is checked by password policy after transformation. So if I have policy with special chacter and my transformated hash does not contains special character, than everythig look fine, but I have exception in log and password is not send to system.

Please provide error log from the password transformation, or password ggeneration. This seems like #1350, because in this ticket isn't change in password policy code. Give me some error log from application.

Today is last day for changes, so please be quick, if there is some new error I must repair this today.

Actions
Copy link
 #17

Updated by Petr Michal over 5 years ago 

----- HERE IS END OF TRANSFORMATION SCRIPT ---
2018-11-16 09:13:21.770  INFO 13 --- [nio-8080-exec-8] e.b.i.c.m.s.i.DefaultEntityEventManager  : Publishing event [CoreEvent [type: UPDATE, content: eu.bcvsolutions.idm.acc.dto.SysProvisioningOperationDto [id= 45634db6-8a4b-4fc8-89f9-545b8836175d], properties: {}]]
2018-11-16 09:13:21.771  INFO 13 --- [nio-8080-exec-8] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [disabled-system-processor]([acc]) start for [CoreEvent [type: UPDATE, content: eu.bcvsolutions.idm.acc.dto.SysProvisioningOperationDto [id= 45634db6-8a4b-4fc8-89f9-545b8836175d], properties: {}]] with order [-5000].
2018-11-16 09:13:21.772  INFO 13 --- [nio-8080-exec-8] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [disabled-system-processor]([acc]) end for [CoreEvent [type: UPDATE, content: eu.bcvsolutions.idm.acc.dto.SysProvisioningOperationDto [id= 45634db6-8a4b-4fc8-89f9-545b8836175d], properties: {}]] with order [-5000].
2018-11-16 09:13:21.772  INFO 13 --- [nio-8080-exec-8] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [prepare-connector-object-processor]([acc]) start for [CoreEvent [type: UPDATE, content: eu.bcvsolutions.idm.acc.dto.SysProvisioningOperationDto [id= 45634db6-8a4b-4fc8-89f9-545b8836175d], properties: {}]] with order [-1000].
16-Nov-2018 09:13:21.895 WARNING [http-nio-8080-exec-8] net.tirasa.connid.bundles.ldap.schema.LdapSchemaBuilder.addAttributeInfo(LdapSchemaBuilder.java:153) Could not find attribute subtreeSpecification in object classes [subentry, top]
2018-11-16 09:13:21.935  INFO 13 --- [nio-8080-exec-8] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [prepare-connector-object-processor]([acc]) end for [CoreEvent [type: UPDATE, content: eu.bcvsolutions.idm.acc.dto.SysProvisioningOperationDto [id= 45634db6-8a4b-4fc8-89f9-545b8836175d], properties: {}]] with order [-1000].
2018-11-16 09:13:21.936  INFO 13 --- [nio-8080-exec-8] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [readonly-system-processor]([acc]) start for [CoreEvent [type: UPDATE, content: eu.bcvsolutions.idm.acc.dto.SysProvisioningOperationDto [id= 45634db6-8a4b-4fc8-89f9-545b8836175d], properties: {}]] with order [-500].
2018-11-16 09:13:21.936  INFO 13 --- [nio-8080-exec-8] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [readonly-system-processor]([acc]) end for [CoreEvent [type: UPDATE, content: eu.bcvsolutions.idm.acc.dto.SysProvisioningOperationDto [id= 45634db6-8a4b-4fc8-89f9-545b8836175d], properties: {}]] with order [-500].
2018-11-16 09:13:21.936  INFO 13 --- [nio-8080-exec-8] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [provisioning-break-processor]([acc]) start for [CoreEvent [type: UPDATE, content: eu.bcvsolutions.idm.acc.dto.SysProvisioningOperationDto [id= 45634db6-8a4b-4fc8-89f9-545b8836175d], properties: {}]] with order [-10].
2018-11-16 09:13:21.938  INFO 13 --- [nio-8080-exec-8] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [provisioning-break-processor]([acc]) end for [CoreEvent [type: UPDATE, content: eu.bcvsolutions.idm.acc.dto.SysProvisioningOperationDto [id= 45634db6-8a4b-4fc8-89f9-545b8836175d], properties: {}]] with order [-10].
2018-11-16 09:13:21.938  INFO 13 --- [nio-8080-exec-8] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [provisioning-update-processor]([acc]) start for [CoreEvent [type: UPDATE, content: eu.bcvsolutions.idm.acc.dto.SysProvisioningOperationDto [id= 45634db6-8a4b-4fc8-89f9-545b8836175d], properties: {}]] with order [0].
16-Nov-2018 09:13:22.054 WARNING [http-nio-8080-exec-8] net.tirasa.connid.bundles.ldap.schema.LdapSchemaBuilder.addAttributeInfo(LdapSchemaBuilder.java:153) Could not find attribute subtreeSpecification in object classes [subentry, top]
2018-11-16 09:13:22.097  INFO 13 --- [nio-8080-exec-8] e.b.i.c.n.s.i.DefaultNotificationManager : Sending notification [eu.bcvsolutions.idm.core.notification.api.dto.IdmNotificationLogDto [id= 9a03ed10-44e5-4222-9f53-9f363aac3056]]
2018-11-16 09:13:22.099  INFO 13 --- [nio-8080-exec-8] c.n.s.i.DefaultConsoleNotificationSender : Sending notification to console [eu.bcvsolutions.idm.core.notification.api.dto.IdmNotificationLogDto [id= 9a03ed10-44e5-4222-9f53-9f363aac3056]]
2018-11-16 09:13:22.118  INFO 13 --- [nio-8080-exec-8] c.n.s.i.DefaultConsoleNotificationSender : Sending notification [eu.bcvsolutions.idm.core.notification.api.dto.IdmConsoleLogDto [id= null]]
2018-11-16 09:13:22.119  INFO 13 --- [nio-8080-exec-8] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [provisioning-update-processor]([acc]) end for [CoreEvent [type: UPDATE, content: eu.bcvsolutions.idm.acc.dto.SysProvisioningOperationDto [id= 45634db6-8a4b-4fc8-89f9-545b8836175d], properties: {}]] with order [0].
2018-11-16 09:13:22.119  INFO 13 --- [nio-8080-exec-8] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [remove-processed-operation-processor]([acc]) start for [CoreEvent [type: UPDATE, content: eu.bcvsolutions.idm.acc.dto.SysProvisioningOperationDto [id= 45634db6-8a4b-4fc8-89f9-545b8836175d], properties: {}]] with order [5000].
2018-11-16 09:13:22.150  INFO 13 --- [nio-8080-exec-8] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [remove-processed-operation-processor]([acc]) end for [CoreEvent [type: UPDATE, content: eu.bcvsolutions.idm.acc.dto.SysProvisioningOperationDto [id= 45634db6-8a4b-4fc8-89f9-545b8836175d], properties: {}]] with order [5000].
2018-11-16 09:13:22.150  INFO 13 --- [nio-8080-exec-8] e.b.i.c.m.s.i.DefaultEntityEventManager  : Event [CoreEvent [type: UPDATE, content: eu.bcvsolutions.idm.acc.dto.SysProvisioningOperationDto [id= 45634db6-8a4b-4fc8-89f9-545b8836175d], properties: {}]] is completed
2018-11-16 09:13:22.151  INFO 13 --- [nio-8080-exec-8] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [identity-password-provisioning-processor]([acc]) end for [IdentityEvent [type: PASSWORD, content: eu.bcvsolutions.idm.core.api.dto.IdmIdentityDto [code= ntlm.test.3], properties: {idm:password-change-dto=eu.bcvsolutions.idm.core.api.dto.PasswordChangeDto@13689075}]] with order [1000].
2018-11-16 09:13:22.151  INFO 13 --- [nio-8080-exec-8] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [identity-password-change-notification]([core]) start for [IdentityEvent [type: PASSWORD, content: eu.bcvsolutions.idm.core.api.dto.IdmIdentityDto [code= ntlm.test.3], properties: {idm:password-change-dto=eu.bcvsolutions.idm.core.api.dto.PasswordChangeDto@13689075}]] with order [1500].
2018-11-16 09:13:22.166  INFO 13 --- [nio-8080-exec-8] e.b.i.c.n.s.i.DefaultNotificationManager : Sending notification [eu.bcvsolutions.idm.core.notification.api.dto.IdmNotificationLogDto [id= cfabcbf4-912f-472d-8e7c-c7d832701c00]]
2018-11-16 09:13:22.168  INFO 13 --- [nio-8080-exec-8] i.c.n.s.i.DefaultEmailNotificationSender : Adding email notification to queue [eu.bcvsolutions.idm.core.notification.api.dto.IdmNotificationLogDto [id= cfabcbf4-912f-472d-8e7c-c7d832701c00]]
2018-11-16 09:13:22.189  INFO 13 --- [nio-8080-exec-8] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [identity-password-change-notification]([core]) end for [IdentityEvent [type: PASSWORD, content: eu.bcvsolutions.idm.core.api.dto.IdmIdentityDto [code= ntlm.test.3], properties: {idm:password-change-dto=eu.bcvsolutions.idm.core.api.dto.PasswordChangeDto@13689075}]] with order [1500].
2018-11-16 09:13:22.189  INFO 13 --- [nio-8080-exec-8] e.b.i.c.m.s.i.DefaultEntityEventManager  : Event [IdentityEvent [type: PASSWORD, content: eu.bcvsolutions.idm.core.api.dto.IdmIdentityDto [code= ntlm.test.3], properties: {idm:password-change-dto=eu.bcvsolutions.idm.core.api.dto.PasswordChangeDto@13689075}]] is completed
2018-11-16 09:13:22.201  INFO 13 --- [nio-8080-exec-8] e.b.i.c.n.service.impl.DefaultEmailer    : Test mode for emailer is enabled. Email [eu.bcvsolutions.idm.core.notification.api.dto.IdmEmailLogDto [id= b5547f8e-725b-4180-a661-c8c17f9db7fe]] will be logged only.
2018-11-16 09:13:22.287  INFO 13 --- [nio-8080-exec-2] e.b.i.c.m.s.i.DefaultEntityEventManager  : Publishing event [PasswordChangeEvent [type: PASSWORD_PREVALIDATION, content: eu.bcvsolutions.idm.core.api.dto.PasswordChangeDto@598fe4b0, properties: {}]]
2018-11-16 09:13:22.288  INFO 13 --- [nio-8080-exec-2] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [identity-password-pre-validate-definition-processor-acc]([acc]) start for [PasswordChangeEvent [type: PASSWORD_PREVALIDATION, content: eu.bcvsolutions.idm.core.api.dto.PasswordChangeDto@598fe4b0, properties: {}]] with order [-10].
2018-11-16 09:13:22.299 ERROR 13 --- [nio-8080-exec-2] e.b.i.c.a.e.AbstractEntityEventProcessor : [core:PASSWORD_PREVALIDATION:b9f98a3d-db52-4e8b-93a8-1166e498da7f] Password does not match password policy: 1 ({minUpperChar=1, minLength=5, minLowerChar=1, specialCharacterBase={Default=!@#$%&*}, minSpecialChar=1})

eu.bcvsolutions.idm.core.api.exception.ResultCodeException: Password does not match password policy: 1
    at eu.bcvsolutions.idm.core.model.service.impl.DefaultIdmPasswordPolicyService.validate(DefaultIdmPasswordPolicyService.java:489)
    at eu.bcvsolutions.idm.core.model.service.impl.DefaultIdmPasswordPolicyService.preValidate(DefaultIdmPasswordPolicyService.java:282)
    at eu.bcvsolutions.idm.core.model.service.impl.DefaultIdmPasswordPolicyService$$FastClassBySpringCGLIB$$f90f724f.invoke(<generated>)
    at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
    at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:651)
    at eu.bcvsolutions.idm.core.model.service.impl.DefaultIdmPasswordPolicyService$$EnhancerBySpringCGLIB$$aa0edcdd.preValidate(<generated>)
    at eu.bcvsolutions.idm.acc.event.processor.IdentityPasswordPreValidateDefinitionProcessor.process(IdentityPasswordPreValidateDefinitionProcessor.java:64)
    at eu.bcvsolutions.idm.core.api.event.AbstractEntityEventProcessor.onApplicationEvent(AbstractEntityEventProcessor.java:237)
    at eu.bcvsolutions.idm.core.api.event.AbstractEntityEventProcessor$$FastClassBySpringCGLIB$$df69624d.invoke(<generated>)
    at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
    at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:720)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
    at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:92)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
    at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:655)
    at eu.bcvsolutions.idm.acc.event.processor.IdentityPasswordPreValidateDefinitionProcessor$$EnhancerBySpringCGLIB$$3581702b.onApplicationEvent(<generated>)
    at org.springframework.context.event.SimpleApplicationEventMulticaster.invokeListener(SimpleApplicationEventMulticaster.java:166)
    at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:138)
    at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:381)
    at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:348)
    at eu.bcvsolutions.idm.core.model.service.impl.DefaultEntityEventManager.process(DefaultEntityEventManager.java:222)
    at eu.bcvsolutions.idm.core.model.service.impl.DefaultEntityEventManager.process(DefaultEntityEventManager.java:156)
    at eu.bcvsolutions.idm.core.model.service.impl.DefaultEntityEventManager$$FastClassBySpringCGLIB$$1694e58f.invoke(<generated>)
    at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
    at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:651)
    at eu.bcvsolutions.idm.core.model.service.impl.DefaultEntityEventManager$$EnhancerBySpringCGLIB$$e3013e9d.process(<generated>)
    at eu.bcvsolutions.idm.core.model.service.impl.DefaultIdmIdentityService.validatePassword(DefaultIdmIdentityService.java:508)
    at eu.bcvsolutions.idm.core.model.service.impl.DefaultIdmIdentityService$$FastClassBySpringCGLIB$$8401595e.invoke(<generated>)
    at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
    at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:651)
    at eu.bcvsolutions.idm.core.model.service.impl.DefaultIdmIdentityService$$EnhancerBySpringCGLIB$$a7e9f36a.validatePassword(<generated>)
    at eu.bcvsolutions.idm.core.rest.impl.PasswordChangeController.validate(PasswordChangeController.java:147)
    at sun.reflect.GeneratedMethodAccessor1585.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:221)
    at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:136)
    at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:110)
    at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:832)
    at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:743)
    at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:85)
    at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:961)
    at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:895)
    at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:967)
    at org.springframework.web.servlet.FrameworkServlet.doPut(FrameworkServlet.java:880)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:664)
    at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:843)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at eu.bcvsolutions.idm.core.security.auth.filter.ExtendExpirationFilter.doFilter(ExtendExpirationFilter.java:67)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at eu.bcvsolutions.idm.core.security.api.auth.filter.AuthenticationFilter.doFilter(AuthenticationFilter.java:61)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:316)
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:126)
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:114)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:122)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:169)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:48)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at eu.bcvsolutions.idm.core.security.auth.filter.ExtendExpirationFilter.doFilter(ExtendExpirationFilter.java:67)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at eu.bcvsolutions.idm.core.security.api.auth.filter.AuthenticationFilter.doFilter(AuthenticationFilter.java:61)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:120)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:89)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:77)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:121)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.springframework.boot.context.web.ErrorPageFilter.doFilter(ErrorPageFilter.java:120)
    at org.springframework.boot.context.web.ErrorPageFilter.access$000(ErrorPageFilter.java:61)
    at org.springframework.boot.context.web.ErrorPageFilter$1.doFilterInternal(ErrorPageFilter.java:95)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.springframework.boot.context.web.ErrorPageFilter.doFilter(ErrorPageFilter.java:113)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.springframework.web.filter.CorsFilter.doFilterInternal(CorsFilter.java:96)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800)
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:800)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1471)
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:748)
Actions
Copy link
 #18

Updated by Ondřej Kopr over 5 years ago

It is little bit longer detective work but I resolve it. I checked current develop version and your 1 week old version. Both version works correctly.

Situation (both versions works same):
  • on system is active password validation policy with required special characters,

  • in password transformation is script that change password (after transformation, password will not passed by validation password policy for system)
  • i change password for identity that has account on the system, password doesn't met password policy = password wasn't send, on frontend was shown error:
  • i change password for same identity with passed password
  • password was correctly sended, try check your system

  • error that you see in log is from prevalidation controller and it's not from validation during script transformation or etc, but from frontend component. Because after success password change is all input removed and password prevalidation is done again with empty string

The all beahvior password transformation works correctly and well. Your problem is in prevalidation.

Actions
Copy link
 #19

Updated by Radek Tomiška over 5 years ago

I don't see any issue - prevalidation works correctly - you need to see 'Hint for a new password', when password form is refreshed, so prevalidation has to be called.

Actions
Copy link
 #20

Updated by Ondřej Kopr over 5 years ago

  • Status changed from In Progress to Needs feedback
  • Assignee changed from Ondřej Kopr to Vít Švanda

Vít Švanda wrote:

I did review and test. Works perfectly, thanks for that.

I found only two minor things:

  • Overrided attribute on role cannot be created for attribute which is sets as "isPasswordAttribute", it's correct. Bad state occures when overrided attribute is created first and after that I unchecked "isPasswordAttribute" on main attribute.
  • On change type of attribute (entity/EAV/is password) is idmProperty disabled, but still marked as required. This issue probebly was not created in this task, but please try to repair it.
Thanks for feedback, I fixed these things:
  • Set password attribute for overridden attributes in role mapping isn't possible now,
  • required field for readOnly attribute in attribute mapping detail was fixed,
  • automatic check attributePassword for PASSWORD attribute (only in one way),
  • update documentation with double provisioning during password change

Commit: https://github.com/bcvsolutions/CzechIdMng/commit/e09aad63a48c765d4454284ef764be0dbe83c686 (branch develop)

Please Vitek could you make a second feedback? Thank you.

Actions
Copy link
 #21

Updated by Vít Švanda over 5 years ago

  • Status changed from Needs feedback to Resolved
  • Assignee changed from Vít Švanda to Ondřej Kopr

I did retest and everything works fine. Thanks for that.

Actions
Copy link
 #22

Updated by Ondřej Kopr over 5 years ago

  • Status changed from Resolved to Closed
  • % Done changed from 90 to 100
Actions
Copy link

Also available in: Atom PDF