Hi Markus, Yes, you are right, the existing usermgmt bundle doesn't handle that use case.
We could probably add that feature to the usermgmt bundle with a patch and a new release of the usermgmt bundle. To reset the password in a secure way, I am thinking of something like this: 1. A new RequestResetPwd servlet generates some random reset pwd token (that expires after n days) when invoked. Then it sends an email to the user with a link containing the token. 2. The target user gets the reset pwd email and clicks the link contained in it. 3. A sling script handles the link request, validates the reset pwd token and, if valid, displays a form where the user can enter a new password. 4. A POST from the form in #3 targets a new ResetPwdWithToken servlet that validates the reset pwd token again and then assigns the new password and removes the reset pwd token so it can not be used again. Does that look ok? Regards, Eric On Sat, Apr 30, 2011 at 6:46 AM, Markus Joschko <[email protected]>wrote: > Hi, > I am currently developing an UI for the sling usermgmt and found that > I can't realize a common use case: > - PW reset (manually by admin or automatically by user) > > The old PW is always required but in the given use case it is most > likely that the PW is no longer available. > I would implement this on my own but the only two ways I see seem to > be suboptimal: > 1) Create a new overwritePW which accepts only requests from admins. > However as I can not extend AbstractUserPostServlet > from my code, I have no access to the digestPassword method and > would have to copy code and even worse make sure, that the digest > algorithm > is then always configured the same on the create user? servlet and > the overwritePW servlet which is suboptimal. > 2) Create a filter to provide the oldPW automatically to the changePW > servlet in case an admin overwrites a PW. > That won't work with the CryptedSimpleCredentials I guess. > > So I am stuck. How to realize PW reset? > > Thanks, > Markus >
