hi with the advent of password expiry / force initial password change via OAK-1922 [0] and its recognition in the authentication layer (SLING-3905 [1]), it is time to think about how the password of an expired user may be changed.
currently password changes are handled via the ChangeUserPasswordServlet [2]: - old password has to be provided and is checked - uses the request session to obtain the user - uses the request session to write to the user (change password) this won't work for expired passwords for the following reasons: - user, whose password is expired, will not obtain a session, (LoginException): change password servlet is thus called with the anonymous session - the anonymous session will not be able to obtain the user, let alone write to it suggested solution: - create a service user for changing passwords - the service user's ACEs grant the following rights: - read on /home/users (to be able to obtain users via UserManager) - write on rep:password property and ./rep:pwd/@* properties - create a service user mapping in ChangeUserPasswordServlet - obtain users and change passwords using the service user mapping session advantages: - ChangeUserPasswordServlet now supports expired passwords without intrusive change or introduction of additional e.g. form parameters, forms work as before - granular control and accountability via service user mapping disadvantage: - security is slightly weakened, in that now an anonymous session may attempt a password change for a user, whereas previously only an already authenticated session with sufficient rights was able to retrieve a user. this is kept in check through the already existing password check (a user's password cannot be changed unless the old one is correctly given) WDYT? greetings dom. [0] https://issues.apache.org/jira/browse/OAK-1922 [1] https://issues.apache.org/jira/browse/SLING-3905 [2] https://svn.apache.org/repos/asf/sling/trunk/bundles/jcr/jackrabbit-usermanager/src/main/java/org/apache/sling/jackrabbit/usermanager/impl/post/ChangeUserPasswordServlet.java
