On Sat, Apr 30, 2011 at 9:07 PM, Eric Norman <[email protected]> wrote: > One more thing. It probably makes sense to allow the admin user (or group) > to use the existing 'changePassword' servlet without supplying the old > password. Can you file a new bug report for that?
Yep, that makes perfectly sense. I created the issue: https://issues.apache.org/jira/browse/SLING-2069 Regards, Markus > On Sat, Apr 30, 2011 at 12:05 PM, Eric Norman <[email protected]>wrote: > >> Hi Markus, >> >> Yes, you are right, the existing usermgmt bundle doesn't handle that use >> case. >> >> We could probably add that feature to the usermgmt bundle with a patch and >> a new release of the usermgmt bundle. >> >> To reset the password in a secure way, I am thinking of something like >> this: >> >> 1. A new RequestResetPwd servlet generates some random reset pwd token >> (that expires after n days) when invoked. Then it sends an email to the >> user with a link containing the token. >> 2. The target user gets the reset pwd email and clicks the link >> contained in it. >> 3. A sling script handles the link request, validates the reset pwd >> token and, if valid, displays a form where the user can enter a new >> password. >> 4. A POST from the form in #3 targets a new ResetPwdWithToken servlet >> that validates the reset pwd token again and then assigns the new password >> and removes the reset pwd token so it can not be used again. >> >> Does that look ok? >> >> Regards, >> Eric >> >> On Sat, Apr 30, 2011 at 6:46 AM, Markus Joschko >> <[email protected]>wrote: >> >>> Hi, >>> I am currently developing an UI for the sling usermgmt and found that >>> I can't realize a common use case: >>> - PW reset (manually by admin or automatically by user) >>> >>> The old PW is always required but in the given use case it is most >>> likely that the PW is no longer available. >>> I would implement this on my own but the only two ways I see seem to >>> be suboptimal: >>> 1) Create a new overwritePW which accepts only requests from admins. >>> However as I can not extend AbstractUserPostServlet >>> from my code, I have no access to the digestPassword method and >>> would have to copy code and even worse make sure, that the digest >>> algorithm >>> is then always configured the same on the create user? servlet and >>> the overwritePW servlet which is suboptimal. >>> 2) Create a filter to provide the oldPW automatically to the changePW >>> servlet in case an admin overwrites a PW. >>> That won't work with the CryptedSimpleCredentials I guess. >>> >>> So I am stuck. How to realize PW reset? >>> >>> Thanks, >>> Markus >>> >> >> >
