One more thing. It probably makes sense to allow the admin user (or group) to use the existing 'changePassword' servlet without supplying the old password. Can you file a new bug report for that?
Regards, Eric On Sat, Apr 30, 2011 at 12:05 PM, Eric Norman <[email protected]>wrote: > Hi Markus, > > Yes, you are right, the existing usermgmt bundle doesn't handle that use > case. > > We could probably add that feature to the usermgmt bundle with a patch and > a new release of the usermgmt bundle. > > To reset the password in a secure way, I am thinking of something like > this: > > 1. A new RequestResetPwd servlet generates some random reset pwd token > (that expires after n days) when invoked. Then it sends an email to the > user with a link containing the token. > 2. The target user gets the reset pwd email and clicks the link > contained in it. > 3. A sling script handles the link request, validates the reset pwd > token and, if valid, displays a form where the user can enter a new > password. > 4. A POST from the form in #3 targets a new ResetPwdWithToken servlet > that validates the reset pwd token again and then assigns the new password > and removes the reset pwd token so it can not be used again. > > Does that look ok? > > Regards, > Eric > > On Sat, Apr 30, 2011 at 6:46 AM, Markus Joschko > <[email protected]>wrote: > >> Hi, >> I am currently developing an UI for the sling usermgmt and found that >> I can't realize a common use case: >> - PW reset (manually by admin or automatically by user) >> >> The old PW is always required but in the given use case it is most >> likely that the PW is no longer available. >> I would implement this on my own but the only two ways I see seem to >> be suboptimal: >> 1) Create a new overwritePW which accepts only requests from admins. >> However as I can not extend AbstractUserPostServlet >> from my code, I have no access to the digestPassword method and >> would have to copy code and even worse make sure, that the digest >> algorithm >> is then always configured the same on the create user? servlet and >> the overwritePW servlet which is suboptimal. >> 2) Create a filter to provide the oldPW automatically to the changePW >> servlet in case an admin overwrites a PW. >> That won't work with the CryptedSimpleCredentials I guess. >> >> So I am stuck. How to realize PW reset? >> >> Thanks, >> Markus >> > >
