Hi Eric, this sounds great but is already quite specific and has to deal with quite some configuration. (mailserver configuration, mail templates (maybe localized etc))
I think it would be sufficient to extract a password service which is available in the osgi environment and allows other components to request a pw change. The applications are then free to build their own PW reset workflow while the configuration for the PW reset (digest etc) is still kept in one place. WDYT? Regards, Markus On Sat, Apr 30, 2011 at 9:05 PM, Eric Norman <[email protected]> wrote: > Hi Markus, > > Yes, you are right, the existing usermgmt bundle doesn't handle that use > case. > > We could probably add that feature to the usermgmt bundle with a patch and a > new release of the usermgmt bundle. > > To reset the password in a secure way, I am thinking of something like this: > > 1. A new RequestResetPwd servlet generates some random reset pwd token > (that expires after n days) when invoked. Then it sends an email to the > user with a link containing the token. > 2. The target user gets the reset pwd email and clicks the link contained > in it. > 3. A sling script handles the link request, validates the reset pwd token > and, if valid, displays a form where the user can enter a new password. > 4. A POST from the form in #3 targets a new ResetPwdWithToken servlet > that validates the reset pwd token again and then assigns the new password > and removes the reset pwd token so it can not be used again. > > Does that look ok? > > Regards, > Eric > > On Sat, Apr 30, 2011 at 6:46 AM, Markus Joschko > <[email protected]>wrote: > >> Hi, >> I am currently developing an UI for the sling usermgmt and found that >> I can't realize a common use case: >> - PW reset (manually by admin or automatically by user) >> >> The old PW is always required but in the given use case it is most >> likely that the PW is no longer available. >> I would implement this on my own but the only two ways I see seem to >> be suboptimal: >> 1) Create a new overwritePW which accepts only requests from admins. >> However as I can not extend AbstractUserPostServlet >> from my code, I have no access to the digestPassword method and >> would have to copy code and even worse make sure, that the digest >> algorithm >> is then always configured the same on the create user? servlet and >> the overwritePW servlet which is suboptimal. >> 2) Create a filter to provide the oldPW automatically to the changePW >> servlet in case an admin overwrites a PW. >> That won't work with the CryptedSimpleCredentials I guess. >> >> So I am stuck. How to realize PW reset? >> >> Thanks, >> Markus >> >
