You are viewing a plain text version of this content. The canonical link for it is here.

Posted to oak-issues@jackrabbit.apache.org by "Dominique Jäggi (JIRA)" <ji...@apache.org> on 2015/10/07 15:46:26 UTC

[jira] [Resolved] (OAK-3463) Communicate Password Change Failure Reason During Expiry + Pw History

     [ https://issues.apache.org/jira/browse/OAK-3463?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Dominique Jäggi resolved OAK-3463.
----------------------------------
       Resolution: Fixed
    Fix Version/s: 1.3.8

fixed in r1707304 - by providing a credentials attribute upon encountering a pw change failure during authentication when pw expired and new password provided.

Should the pw history feature be enabled, and - for the
above password change - a password already in the history be used, the change
will fail and the login still throw a _CredentialExpiredException_. In order
for consumers of the exception to become aware that the credentials are
still considered expired, and that the password was not changed due to the 
new password having been found in the password history, the credentials object
is fitted with an additional attribute with name _PasswordHistoryException_.
This attribute may contain the following two values:

_"New password was found in password history."_ or 
_""New password is identical to the current password."_

> Communicate Password Change Failure Reason During Expiry + Pw History
> ---------------------------------------------------------------------
>
>                 Key: OAK-3463
>                 URL: https://issues.apache.org/jira/browse/OAK-3463
>             Project: Jackrabbit Oak
>          Issue Type: Bug
>          Components: core, security
>    Affects Versions: 1.3.6
>            Reporter: Dominique Jäggi
>            Assignee: Dominique Jäggi
>             Fix For: 1.3.8
>
>
> when password expiry and password history are enabled, the following situation may occur:
> when a password is expired, it may be changed as part of the regular _authenticate_ call, in this case handled by the _UserAuthentication_. if the new password is found in the password history, the pw change fails and _UserAuthentication_ still reports this (special) login as expired.
> it would be desirable to allow consumers of the resulting state (currently CredentialExpiredException) to be able to identify that the password change failed due to it being in the pw history, even though the unchanged password could still be considered expired.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)