Hi Markus, Yes, that is a good point. I was reviewing the open issues and it looks like we already have an issue (SLING-1555<https://issues.apache.org/jira/browse/SLING-1555>) requesting OSGi services for the user management actions.
Of course, patches are welcome to add this functionality. If no one else gets to it, I can take a look when I get some free time. Regards, Eric On Sun, May 1, 2011 at 11:56 PM, Markus Joschko <markus.josc...@gmail.com>wrote: > Hi Eric, > > this sounds great but is already quite specific and has to deal with > quite some configuration. > (mailserver configuration, mail templates (maybe localized etc)) > > I think it would be sufficient to extract a password service which is > available in the osgi environment > and allows other components to request a pw change. > > The applications are then free to build their own PW reset workflow > while the configuration for the PW reset (digest etc) > is still kept in one place. > > WDYT? > > Regards, > Markus > > On Sat, Apr 30, 2011 at 9:05 PM, Eric Norman <eric.d.nor...@gmail.com> > wrote: > > Hi Markus, > > > > Yes, you are right, the existing usermgmt bundle doesn't handle that use > > case. > > > > We could probably add that feature to the usermgmt bundle with a patch > and a > > new release of the usermgmt bundle. > > > > To reset the password in a secure way, I am thinking of something like > this: > > > > 1. A new RequestResetPwd servlet generates some random reset pwd token > > (that expires after n days) when invoked. Then it sends an email to > the > > user with a link containing the token. > > 2. The target user gets the reset pwd email and clicks the link > contained > > in it. > > 3. A sling script handles the link request, validates the reset pwd > token > > and, if valid, displays a form where the user can enter a new password. > > 4. A POST from the form in #3 targets a new ResetPwdWithToken servlet > > that validates the reset pwd token again and then assigns the new > password > > and removes the reset pwd token so it can not be used again. > > > > Does that look ok? > > > > Regards, > > Eric > > > > On Sat, Apr 30, 2011 at 6:46 AM, Markus Joschko < > markus.josc...@gmail.com>wrote: > > > >> Hi, > >> I am currently developing an UI for the sling usermgmt and found that > >> I can't realize a common use case: > >> - PW reset (manually by admin or automatically by user) > >> > >> The old PW is always required but in the given use case it is most > >> likely that the PW is no longer available. > >> I would implement this on my own but the only two ways I see seem to > >> be suboptimal: > >> 1) Create a new overwritePW which accepts only requests from admins. > >> However as I can not extend AbstractUserPostServlet > >> from my code, I have no access to the digestPassword method and > >> would have to copy code and even worse make sure, that the digest > >> algorithm > >> is then always configured the same on the create user? servlet and > >> the overwritePW servlet which is suboptimal. > >> 2) Create a filter to provide the oldPW automatically to the changePW > >> servlet in case an admin overwrites a PW. > >> That won't work with the CryptedSimpleCredentials I guess. > >> > >> So I am stuck. How to realize PW reset? > >> > >> Thanks, > >> Markus > >> > > >
