I was looking at the "AccountManagementService" as this function provide two nice features to validate users who can register themselves and it provide a feature to allow user to reset their own password.
One point I want to understand is the host validation. The host name of the production server is not the same as the URL the external customer is looking at. So for the generation of the email we call the service accountManagementService.requestPasswordReset with the hostname equal to the external facing hostname. This hostname is embedded in the token as one of the secured parameters AND is used to generate the URL in the email that the user can click.
On the return the system validate the token in the "AccountManagementServlet" with this private code below. The host name here is the internal host name so the token will always be invalid as the internal host name is different from the external host name embedded in the token. Is there something I overlook here?
private boolean isTokenValid(String token, String hostname) {
if (!this.jwsValidator.validate(token))
return false;
String hostField = getTokenField(token, "host");
return (hostField != null && !"".equals(hostField) && hostname != null &&
!"".equals(hostname) && hostField.equals(hostname));
}
