Saturday, August 29, 2015

Change Password Validation Event Handler: Adding Custom Password Requirements

Tested On: Oracle Identity Manager 11.1.2.3.0
Description: Demonstrates how to add custom password requirements which are not covered by out of the box Oracle Identity Manager password policy. Implementation is handled by creating a custom validation event handler on change password operations. The example given here validates that the new password does not contain the user's middle name and email.

Validation on First Login Password Change

Validation on Forgot Password

Validation on Admin Changing User Password

References: https://docs.oracle.com/cd/E52734_01/oim/OMDEV/oper.htm#OMDEV3085
http://docs.oracle.com/cd/E52734_01/oim/OMUSG/pwdpolicy.htm#OMUSG5478
http://docs.oracle.com/cd/E27559_01/apirefs.1112/e28159/oracle/iam/platform/Platform.html#getServiceForEventHandlers_java_lang_Class__java_lang_String__java_lang_String__java_lang_String__java_util_HashMap_


Troubleshooting

Anonymous User Issue
Error: <oracle.iam.platform.authopss.impl> <BEA-000000> <Unable to populate the self-capabilities for User :null

Issue: When trying to change the user's password through the Forgot Password? link, the custom validation event handler fails when trying to use User Manager API.

Cause: Since the actor (the internal user performing the change) is anonymous, it fails when trying to call oracle.iam.identity.usermgmt.api.UserManager.getDetails method in the custom code when service is obtained by "Platform.getService(UserManager.class)". 

Workaround: The custom code has a check for <anonymous> user and performs a SQL query to get the target user's attributes or a much better approach is to use "Platform.getServiceForEventHandlers(UserManager.class, null, "ADMIN","ChangePasswordValidationEH", null)" to obtain the service. 

IAM-3040027 : An error occurred while changing the user password. java.lang.RuntimeException: Unable to populate the self-capabilities for User :null

Null Validation Message
Issue: When trying to change password through My Information section, the  validation message thrown in the custom validation event handler is not shown instead null is displayed. Looking at the logs this error may be the culprit:
<Error> <oracle.iam.platform.utils> <BEA-000000> <An error occurred while loading the parent resource bundle oracle.iam.selfservice.resources.Logging

Posted by at
Labels:

3 comments:

  1. AnonymousApril 15, 2016 at 6:03 AM

    i get the following error when event handler is triggered..
    java.lang.NullPointerException
    at com.thortech.xl.crypto.tcDefaultDBEncryptionImpl.getCipher(tcDefaultDBEncryptionImpl.java:121)
    at com.thortech.xl.crypto.tcDefaultDBEncryptionImpl.decrypt(tcDefaultDBEncryptionImpl.java:215)
    at com.thortech.xl.crypto.tcCryptoUtil.decrypt(tcCryptoUtil.java:122)
    at com.thortech.xl.crypto.tcCryptoUtil.decrypt(tcCryptoUtil.java:163)
    at com.wa.wahbe.oim.eventhandlers.PasswordValidate.validate(Unknown Source)
    at oracle.iam.platform.kernel.impl.OrchProcessData.validate(OrchProcessData.java:258)
    Any help please ?

    ReplyDelete
  2. UnknownOctober 10, 2017 at 1:29 PM

    what is the solution for Null being displayed instead of error message when the password changed from my profile section?

    ReplyDelete
  3. AnonymousMay 9, 2019 at 11:32 AM

    The null message on the My Information page is a bug in OIM 12.2.1.3 also. I reported it. So hopefully it will get fixed.

    ReplyDelete

Subscribe to: Post Comments (Atom)