Uploaded image for project: 'MidPoint'
  1. MidPoint
  2. MID-5030

Security answers value policy not enforcing certain policy checks



    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.9
    • Fix Version/s: 3.9.1, 4.0
    • Component/s: None
    • Subscription:
      Active subscription
    • Git Revision:
    • Milestone:


      We are encountering a strange issue with one of our value policies, but first here is some background to the problem:

      The following check expression for preventing User IDs in credentials works in our defined password policy

      				<!-- MID-1657 - Ensures that the password does not contain the User ID -->
      			         			assert input != null
      			         			assert object != null
      			         			// object.getName() may be null (e.g. new shadow)
      			         			if (object instanceof com.evolveum.midpoint.xml.ns._public.common.common_3.UserType)
      			         				return !basic.containsIgnoreCase(input, object.getName())
      		         					return true
      		         	<failureMessage>Password must not contain User ID</failureMessage>

      but throws the following "Bad Request" error when copied as is to our security answers value policy:

      	... 46 more
      Caused by: javax.ws.rs.BadRequestException: Bad Request
      	at com.evolveum.midpoint.client.impl.restjaxb.RestJaxbValidateGenerateRpcService.apost(RestJaxbValidateGenerateRpcService.java:64) ~[midpoint-client-impl-rest-jaxb-3.8-SNAPSHOT.jar:?]
      	at com.evolveum.midpoint.client.api.verb.Post.post(Post.java:34) ~[midpoint-client-api-3.8-SNAPSHOT.jar:?]

      Commenting out the assert object != null statement allows the security answers policy to validate answers without throwing the bad request error.

      The main problem that I am reporting is that the check expression works in the password policy but does not work in the security answers policy.

      If passwords are submitted that contain the current user's User ID ("name" in midPoint nomenclature), the password policy rejects them with the defined
      failure message, but if security answers are submitted while using the same check expression, the policy accepts the submitted answers.

      N.B. The passwords and security answers are being submitted to our midPoint instance via the midpoint-java-client.

      Could you take a look?




            • Assignee:
              katkav Katka Valalikova
              dantrob Dennis Antrobus
            • Votes:
              0 Vote for this issue
              3 Start watching this issue


              • Created: