Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn More

View all

Sign in to view all badges

AccountManagementService bug or not?

Avatar

Avatar
Validate 1
Level 3
Eric_Stricker
Level 3

Likes

12 likes

Total Posts

73 posts

Correct Reply

2 solutions
Top badges earned
Validate 1
Ignite 5
Ignite 3
Ignite 1
Give Back 5
View profile

Avatar
Validate 1
Level 3
Eric_Stricker
Level 3

Likes

12 likes

Total Posts

73 posts

Correct Reply

2 solutions
Top badges earned
Validate 1
Ignite 5
Ignite 3
Ignite 1
Give Back 5
View profile
Eric_Stricker
Level 3

15-06-2020

I was looking at the "AccountManagementService" as this function provide two nice features to validate users who can register themselves and it provide a feature to allow user to reset their own password.

 

One point I want to understand is the host validation. The host name of the production server is not the same as the URL the external customer is looking at. So for the generation of the email we call the service accountManagementService.requestPasswordReset with the hostname equal to the external facing hostname. This hostname is embedded in the token as one of the secured parameters AND is used to generate the URL in the email that the user can click.

 

On the return the system validate the token in the "AccountManagementServlet"  with this private code below. The host name here is the internal host name so the token will always be invalid as the internal host name is different from the external host name embedded in the token. Is there something I overlook here?

 

  private boolean isTokenValid(String token, String hostname) {
if (!this.jwsValidator.validate(token))
return false;
String hostField = getTokenField(token, "host");
return (hostField != null && !"".equals(hostField) && hostname != null &&
!"".equals(hostname) && hostField.equals(hostname));
}

 

Replies

Avatar

Avatar
Springboard
Level 10
Mayank_Gandhi
Level 10

Likes

316 likes

Total Posts

1,139 posts

Correct Reply

184 solutions
Top badges earned
Springboard
Establish
Validate 1
Contributor 2
Ignite 5
View profile

Avatar
Springboard
Level 10
Mayank_Gandhi
Level 10

Likes

316 likes

Total Posts

1,139 posts

Correct Reply

184 solutions
Top badges earned
Springboard
Establish
Validate 1
Contributor 2
Ignite 5
View profile
Mayank_Gandhi
Level 10

23-06-2020

@Eric_Stricker  You might have to map your host and DNS  in DAY CQ Link Externalizer” configuration. 

https://helpx.adobe.com/in/experience-manager/6-3/sites/developing/using/externalizer.html#:~:text=C... 

Avatar

Avatar
Validate 1
Level 3
Eric_Stricker
Level 3

Likes

12 likes

Total Posts

73 posts

Correct Reply

2 solutions
Top badges earned
Validate 1
Ignite 5
Ignite 3
Ignite 1
Give Back 5
View profile

Avatar
Validate 1
Level 3
Eric_Stricker
Level 3

Likes

12 likes

Total Posts

73 posts

Correct Reply

2 solutions
Top badges earned
Validate 1
Ignite 5
Ignite 3
Ignite 1
Give Back 5
View profile
Eric_Stricker
Level 3

23-06-2020

@Mayank_Gandhi

 

We already use the externalizer on the outgoing message, but the issue here is the validation when the user submit the result from the page after entering a new password. The customer face URL is a nice formatted URL, while the actual internal server URL inside the safe zone is a very different URL. The system will generate the ky value with the Externalizer generated URL while it validate the URL with the internal host name. This will never match in this case.

Avatar

Avatar
Springboard
Level 10
Mayank_Gandhi
Level 10

Likes

316 likes

Total Posts

1,139 posts

Correct Reply

184 solutions
Top badges earned
Springboard
Establish
Validate 1
Contributor 2
Ignite 5
View profile

Avatar
Springboard
Level 10
Mayank_Gandhi
Level 10

Likes

316 likes

Total Posts

1,139 posts

Correct Reply

184 solutions
Top badges earned
Springboard
Establish
Validate 1
Contributor 2
Ignite 5
View profile
Mayank_Gandhi
Level 10

06-07-2020