noushadali / pwm

Automatically exported from code.google.com/p/pwm
0 stars 0 forks source link

Random Token Security Key generation is one character too short #374

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. In the Configuration Manager go to Configuration editor -> Settings -> 
Security
2. Click on Set password at the Security Key configuration option
3. Save the configuration
4. Put the length of the key on 32, Special=off, Show=off
5. Press the random button
6. Confirm the generated key and Click on Set password

What is the expected output? What do you see instead?
I would expect that PWM would accept its own generated security key. Instead I 
get an error upon saving the configuration: "5203 CONFIG_FORMAT_ERROR 
(Security-Security Key incorrect value format for value 
'12345678hkK9g2pE91kHWHYnH54pD6S')". It looks like the generated security key 
is 1 character too short (31 characters, instead of the 32 minimum required 
characters.

What version of PWM are you using?
Daily build (pwmVersion="1.7.0" pwmBuild="1216" pwmBuildType="RC1" 
createTime="2013-04-04 06:24:31 +0000")

What ldap directory and version are you using?
eDirectory for Linux x86_64 v8.8 SP7 ON SLES11 SP1

Original issue reported on code.google.com by sebastia...@gmail.com on 25 Apr 2013 at 6:01

GoogleCodeExporter commented 9 years ago
Unable to reproduce.

Original comment by jrivard on 25 Apr 2013 at 8:02

GoogleCodeExporter commented 9 years ago
That is a pity ;) Some more detail on my setup:

Servlet container/ Web Server: tomcat6-6.0.18-20
OS: SLES 11 SP1
Java SDK: tried both IBM 1.6.0 J9 SDK and Oracle 1.7.0_u21 SDK

Some tips on how I can pinpoint this problem?

Original comment by sebastia...@gmail.com on 25 Apr 2013 at 2:28

GoogleCodeExporter commented 9 years ago
Finally got some logging from catalina.out:

2013-05-03 15:06:17, TRACE, util.Helper, externalJudgeMethod 
'password.pwm.PwmPasswordJudge' returned a value of 94
2013-05-03 15:06:17, TRACE, util.Helper, externalJudgeMethod 
'password.pwm.PwmPasswordJudge' returned a value of 94
2013-05-03 15:06:17, TRACE, util.Helper, externalJudgeMethod 
'password.pwm.PwmPasswordJudge' returned a value of 94
2013-05-03 15:06:17, TRACE, util.Helper, externalJudgeMethod 
'password.pwm.PwmPasswordJudge' returned a value of 94
2013-05-03 15:06:17, TRACE, util.Helper, externalJudgeMethod 
'password.pwm.PwmPasswordJudge' returned a value of 94
2013-05-03 15:06:17, TRACE, util.Helper, externalJudgeMethod 
'password.pwm.PwmPasswordJudge' returned a value of 94
2013-05-03 15:06:17, TRACE, util.Helper, externalJudgeMethod 
'password.pwm.PwmPasswordJudge' returned a value of 97
2013-05-03 15:06:17, TRACE, util.Helper, externalJudgeMethod 
'password.pwm.PwmPasswordJudge' returned a value of 100
2013-05-03 15:06:17, TRACE, util.Helper, externalJudgeMethod 
'password.pwm.PwmPasswordJudge' returned a value of 100
2013-05-03 15:06:17, TRACE, util.Helper, externalJudgeMethod 
'password.pwm.PwmPasswordJudge' returned a value of 100
2013-05-03 15:06:17, ERROR, util.RandomPasswordGenerator, {p,testuser} failed 
random password generation after 3s after 1000 tries. (errors=2, judgeLevel=100 
[132.321.123.321]

Original comment by sebastia...@gmail.com on 3 May 2013 at 1:23

GoogleCodeExporter commented 9 years ago
Dived a bit deeper into the source. It looks like the random generated password 
must comply to the password policy of the authneticated user that is generating 
the security key 
(pwm/servlet/src/password/pwm/ws/server/rest/RestRandomPasswordServer.java)

This leads to problems if the password policy for regular users does not allow 
passwords of 32 characters :)

I'm not sure why that logic is in there, but it looks wrong to me

Original comment by sebastia...@gmail.com on 3 May 2013 at 2:44

GoogleCodeExporter commented 9 years ago

Original comment by jrivard on 14 Jun 2013 at 3:48