Some (?) special characters in password cause PWM web page to crash in browser

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Click "Forgotten Password" on PWM log in page

2. Correctly answer questions to arrive at page for setting new password.

3. Enter a valid password containing a special character such as '!' or '_'.

4. Click "Change Password".

What is the expected output? What do you see instead?
Expect to see password change operation with success. Instead the browser 
returns to the page for setting a new password with error saying that the 
password does not adhere to the password rules (even though it validated fine 
on the previous page). The page then becomes unresponsive (crashes) because of 
an out of control script. In some cases, broken bits of HTML may be seen on the 
page.

What version of PWM are you using?
PWM v1.7.0 b1228 (Release)

What ldap directory and version are you using?
389 Directory Server, Version 1.2.9.9
Build number: 2011.244.2040

Please paste any error log messages below:
There are no error messages in the PWM.log file when this happens.

Note that PWM *does* update the user's password in LDAP, but not to any value 
typed into the form. (Have no idea what it sets the password to.)

Our password policy settings are as follows:

Password is case sensitive.
Must be at least 8 characters long.
Must have at least 1 symbol (non letter or number) character.
Must not repeat any character sequentially more than 1 time.
Must have at least 1 lowercase letter.
Must have at least 1 uppercase letter.
Must not include any of the following values: password test
Must not include part of your name or username.
Must not include a common word or commonly used sequence of characters.

Thanks in advance for any help.

Ed

Original issue reported on code.google.com by ed.hu...@gmail.com on 5 Nov 2013 at 9:29

[GoogleCodeExporter]

*New information*:

There may be another possible (and much more probable) cause for this problem. 
The web application crash behavior was observed again when trying to set the 
password of a user whose 'passwordAllowChangeTime' attribute was still in the 
future due to password policy settings on the LDAP server. The presence or 
absence of special characters in the passwords was not a factor in this case.

If possible, I would suggest testing PWM in an environment where there is a 
password policy enforcing a minumum password age on the LDAP server, but where 
is it not set in PWM.

An obvious work around to help to avoid this problem is to set the 'Minimum 
Lifetime' parameter in the PwmConfiguration.xml config file such that it 
matches the policy on the LDAP server. It would be cool, however, if PWM were 
smart enough to pick this up from the LDAP server itself.

Thanks.

Ed

Original comment by ed.hu...@gmail.com on 7 Nov 2013 at 11:17

[GoogleCodeExporter]

Please try with a nightly build.

Original comment by jrivard on 7 Nov 2013 at 11:27

[GoogleCodeExporter]

Closing, as no new comments have been received.

Original comment by menno.pi...@gmail.com on 26 Feb 2014 at 7:26

• Changed state: Done