[jira] [Commented] (SYNCOPE-939) Password history not checked when user changes password

[Colm O hEigeartaigh (JIRA)]

    [ 
https://issues.apache.org/jira/browse/SYNCOPE-939?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15486981#comment-15486981
 ] 

Colm O hEigeartaigh commented on SYNCOPE-939:
---------------------------------------------

This bug is also present when resetting the password via the REST API, the 
following reset works even though it should fail as "password1" is in the 
password history of the user:

 String address = "http://localhost:9080/syncope/rest/";;
        SyncopeClientFactoryBean clientFactory = new 
SyncopeClientFactoryBean().setAddress(address);
        
        SyncopeClient authClient = clientFactory.create("alice", "password2");
        UserTO read = authClient.getService(UserSelfService.class).read();
        
        SyncopeClient anonClient = clientFactory.createAnonymous();
        UserSelfService userSelfService = 
anonClient.getService(UserSelfService.class);
        userSelfService.requestPasswordReset("alice", "xyz");
        
        SyncopeClient adminClient = clientFactory.create("admin", "password");
        UserService userService = adminClient.getService(UserService.class);
        String token = userService.read(read.getId()).getToken();
        
        
anonClient.getService(UserSelfService.class).confirmPasswordReset(token, 
"password1");

> Password history not checked when user changes password
> -------------------------------------------------------
>
>                 Key: SYNCOPE-939
>                 URL: https://issues.apache.org/jira/browse/SYNCOPE-939
>             Project: Syncope
>          Issue Type: Bug
>    Affects Versions: 1.2.8
>            Reporter: Colm O hEigeartaigh
>             Fix For: 1.2.9
>
>
> When a user changes his/her password via the Console, the password history 
> does not appear to be checked. It is only checked when the admin user changes 
> the password. This bug does not appear to be present in the enduser 
> application of Syncope 2.0.0.
> Steps to reproduce (Syncope 1.2.8):
> 1) Log onto the console as "admin". 
> 2) Change the global password policy to have a history of "10".
> 3) Now create a new user "alice" with password "password1" and save.
> 4) Edit "alice" (again as "admin") and change the password to "password2" and 
> save.
> 5) Edit "alice" (again as "admin") and try to change the password back to 
> "password1" -> this should fail.
> 6) Logout and log back in as "alice"/"password2".
> 7) Click on "alice" and change the password back to "password1".
> 8) It displays no error message and "alice" can log back in with "password1" 
> after logging out.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)