Update profile info without password

Posted by Tom Oosterwijk on 11-Aug-2017 03:42

2 Months ago I asked a question about using external user management. It took some time due to holidays and changing priorities, but about 80% of the work is done. The problem I am currently facing is that because my authentication can now happen via a an OAuth2-flow, the BMUserBean on the session does not have the user's password (nor will oebpm ever be able to know the password). But when I try to add groups as an admin, or try to adjust my own start page as a user, I need to enter my password. This is validated (I believe) in the AjaxUtilController with an action value of updateUser of updateUserProfile. Here the password given is first validated, I believe versus the password that was set in the BMUserBean. I have set some random password here in my authenticationFilter, since it can't be empty, but of course the user does not know about this password. 

Is there a way to update user information like groups or start page without the user providing a password, using the existing profile/administration screens and AjaxUtilController?

FYI: most of my realm and user functionality just extend the JDBC ones, only the password is ignored. I'm not even using a custom Group class.

All Replies

Posted by Aditya Dhulipala on 18-Aug-2017 06:03

Updating the user information without providing password would be insecure. As there is a filter configured to authenticate the requests, removing it may compromise the security of the system.

Admin user will be authenticated from the realm that was extended. From the information above, as the password is ignored right now, the authentication will be failed.

As the JDBC realm has been extended, please override the passwordOK(String password)  and handle scenario in there.

Thanks,

Aditya.

Posted by Tom Oosterwijk on 31-Aug-2017 05:07

Overriding the passwordOK isn't going to help in this scenario, because it is not called. passwordOK is called when we log in the user, and therefore I did overwrite it. But the AjaxUtilController validates the given password versus the password the user used to login, since at that point a username/password combination is placed in the session and those are used to retrieve the current user and his password after the user has been logged in.

I find it a bit strange that for custom usermanagement I can overwrite the passwordOK function of the user, but I cannot overwrite the function that is used to determine whether the password the user enters on the edit-user screen is valid. Shouldn't that be part of the custom usermanagement?

Furthermore I find it a bit unfortunate that my extended JDBCRealm cannot be recognised as requestFromBizPass in the DomainFilter and thus does not call functions like createValidSession. Should the DomainFilter not determine whether or not to create a valid session based on a function in the default Realm?

This thread is closed