Home.... | log in.... | Pub my question! | Sign-up....
Java-index >> Web & Directory Servers >> Directory Servers

Inconsistant Question Login Behavior

Hello all,

I am working on implementing our requirements for forgotten password authentication questions. We have a somewhat unique policy regarding this. We want to always have a specific question asked. Then have 2 questions asked that are chosen from a random set. Then have 1 user defined question asked. Since there is no out of the box policy that captures this, I have been working to implement a solution. What I came up with was to redefine the fieldloop in the Question Login Form. Instead of looping through 'questions[*].name' I have it evaluate an expression I wrote. The expression selects questions based on the policy I outlined above. The form is working great. It displays the proper questions in line with our policy. The problem is the authentication of the questions. I have the policy set to 'any'. If I set it to 4 questions, which is how many I am asking, then the application will never let me authenticate. It will continually give me the 'Please answer at least 4 questions' error. At the suggestion of Dana from Aegis, I set the any policy to require only 1 question. The two required questions (the user defined and the admin defined questions) always work fine. However the two random questions work only sporadically. Sometimes I have to enter the answer for one of the random questions as many as 3 or 4 times before it will get excepted. This behavior seems weird. It is not consistent at all.

We are using IdM 6.0 with no service packs. Has anyone ran into this before? Does anyone have any advice about it?

[1566 byte] By [JimBeard] at [2007-11-26 11:02:49]
«« How to make treenode name/text NOT wrap?
»» NetBeans Visual Web - Will be Studio Creator after that?
# 1
Has anyone seen anything like this before? Does anyone have any idea whats going on? Any advice?
JimBeard at 2007-7-7 3:16:39 > top of Java-index,Web & Directory Servers,Directory Servers...
# 2
anyone?
JimBeard at 2007-7-7 3:16:39 > top of Java-index,Web & Directory Servers,Directory Servers...
# 3
Anyone?
JimBeard at 2007-7-7 3:16:39 > top of Java-index,Web & Directory Servers,Directory Servers...
# 4
Bueller? Bueller?
JimBeard at 2007-7-7 3:16:39 > top of Java-index,Web & Directory Servers,Directory Servers...
# 5
Is there anyone from Sun that might have any insight?
JimBeard at 2007-7-7 3:16:39 > top of Java-index,Web & Directory Servers,Directory Servers...
# 6
hmmm...
JimBeard at 2007-7-7 3:16:39 > top of Java-index,Web & Directory Servers,Directory Servers...
# 7

Hi Jim, I had to build the following workflow to implement the password reset. You can tweak activity 3 'Select Questions' to do what you need. This workflow is not finished; it always selects the first three questions; but it I think it is usable.

Have fun with it. Theo

<?xml version='1.0' encoding='UTF-8'?>

<!DOCTYPE TaskDefinition PUBLIC 'waveset.dtd' 'waveset.dtd'>

<TaskDefinition authType='UserAdminTask' name='Task-FindLostPassword' creator='therijn' createDate='1145528788789' lastModifier='therijn' lastModDate='1146135380583' lastMod='536' wstype='ProvisioningTask' taskType='Workflow' executor='com.waveset.workflow.WorkflowExecutor' syncControlAllowed='true' execMode='sync' execLimit='0' resultLimit='3600' resultOption='delete' visibility='run' progressInterval='0'>

<Extension>

<WFProcess name='Task-FindLostPassword' title='Find Lost Password' maxSteps='0'>

<Comments>This process allows an anonymous user to authenticate using the security questions and reset the password.</Comments>

<Variable name='actionWF' value='findPassword'>

<Comments>This attribute is used to distinguish between the various actions on the forms.</Comments>

</Variable>

<Variable name='userview'/>

<Variable name='selectedQuestions'/>

<Variable name='answersOK'>

<Boolean>true</Boolean>

</Variable>

<Variable name='attemptsCount'>

<Integer>0</Integer>

</Variable>

<Activity id='0' name='start'>

<Transition to='Get Questions'/>

<WorkflowEditor x='43' y='10'/>

</Activity>

<Activity id='1' name='Get Questions'>

<Action id='0' application='com.waveset.session.WorkflowServices'>

<Argument name='op' value='getView'/>

<Argument name='type' value='User'/>

<Argument name='id'>

<ref>accountId</ref>

</Argument>

<Argument name='options'>

<Map>

<MapEntry key='noFetch' value='true'/>

</Map>

</Argument>

<Return from='view' to='userview'/>

</Action>

<Transition to='Check Email'/>

<WorkflowEditor x='122' y='10'/>

</Activity>

<Activity id='2' name='Check Email'>

<Transition to='SetExitMessage'>

<isnull>

<ref>userview.accounts[LDAP].email</ref>

</isnull>

</Transition>

<Transition to='SetExitMessage'>

<isFalse>

<rule name='RLE-emailValidityAndDomainCheck'>

<argument name='emailAddress' value='$(userview.accounts[LDAP].email)'/>

</rule>

</isFalse>

</Transition>

<Transition to='Select Questions'/>

<WorkflowEditor x='217' y='10'/>

</Activity>

<Activity id='3' name='Select Questions'>

<Action id='0' name='Select questions'>

<expression>

<block>

<defvar name='counter'>

<i>0</i>

</defvar>

<dolist name='iterator'>

<ref>userview.waveset.questions</ref>

<block>

<cond>

<and>

<lt>

<ref>counter</ref>

<i>3</i>

</lt>

<not>

<isnull>

<invoke name='get'>

<ref>iterator</ref>

<s>answer</s>

</invoke>

</isnull>

</not>

</and>

<block>

<set name='counter'>

<add>

<ref>counter</ref>

<i>1</i>

</add>

</set>

<set name='selectedQuestions[$(name)].answer'>

<s></s>

</set>

<set name='selectedQuestions[$(name)].origional_answer'>

<invoke name='get'>

<ref>iterator</ref>

<s>answer</s>

</invoke>

</set>

<set name='selectedQuestions[$(name)].question'>

<invoke name='get'>

<ref>iterator</ref>

<s>question</s>

</invoke>

</set>

<set name='selectedQuestions[$(name)].name'>

<invoke name='get'>

<ref>iterator</ref>

<s>name</s>

</invoke>

</set>

</block>

</cond>

</block>

</dolist>

</block>

</expression>

</Action>

<Transition to='SetExitMessage'>

<lt>

<length>

<ref>selectedQuestions</ref>

</length>

<i>3</i>

</lt>

</Transition>

<Transition to='Get Answers'/>

<WorkflowEditor x='318' y='125'/>

</Activity>

<Activity id='4' name='Get Answers'>

<Variable name='formButton'/>

<ManualAction id='0' name='Show Authentication Answers' timeout='15' syncExec='true'>

<WorkItemDescription>

<s>Show Authentication Answers</s>

</WorkItemDescription>

<Owner>

<ref>WF_CASE_OWNER</ref>

</Owner>

<Form noDefaultButtons='true'>

<Display class='EditForm'>

<Property name='title' value='Answers Authentication Questions'/>

<Property name='subTitle' value='If you answer all questions correct your password will be reset and send to your email address. The answers and not case sensitive. Do not attempt to guess the answers if the name is not your name.'/>

</Display>

<Field name='variables.userview.accounts[LDAP].fullname'>

<Display class='Label'>

<Property name='title' value='_FM_FULLNAME'/>

</Display>

</Field>

<Field>

<Display class='Label'>

<Property name='value' value='Please answer all questions correct.'/>

<Property name='font' value='testFontStyle'/>

<Property name='color' value='#ff0000'/>

</Display>

<Disable>

<isTrue>

<ref>variables.answersOK</ref>

</isTrue>

</Disable>

</Field>

<Field>

<FieldLoop for='name' in='variables.selectedQuestions[*].name'>

<Field name='variables.selectedQuestions[$(name)].answer'>

<Display class='Text'>

<Property name='title'>

<concat>

<ref>variables.selectedQuestions[<ref>name</ref>].question</ref>

<s>:</s>

</concat>

</Property>

<Property name='width' value='300'/>

</Display>

</Field>

</FieldLoop>

</Field>

<Field name='complete' type='string'>

<Default>

<s>true</s>

</Default>

</Field>

<Field button='true'>

<Display class='Button'>

<Property name='name' value='variables.formButton'/>

<Property name='label' value='Continue'/>

<Property name='command' value='Save'/>

<Property name='value' value='continue'/>

</Display>

</Field>

<Field button='true'>

<Display class='Button'>

<Property name='name' value='variables.formButton'/>

<Property name='label' value='Cancel'/>

<Property name='command' value='SaveNoValidate'/>

<Property name='value' value='cancel'/>

</Display>

</Field>

</Form>

</ManualAction>

<Transition to='SetCanceledMessage'>

<eq>

<ref>formButton</ref>

<s>cancel</s>

</eq>

</Transition>

<Transition to='Check Attempts'/>

<WorkflowEditor x='421' y='137'/>

</Activity>

<Activity id='5' name='Check Attempts'>

<Action id='0'>

<expression>

<set name='attemptsCount'>

<add>

<i>1</i>

<ref>attemptsCount</ref>

</add>

</set>

</expression>

</Action>

<Transition to='SetTooManyAttemptsMessage'>

<gt>

<ref>attemptsCount</ref>

<i>3</i>

</gt>

</Transition>

<Transition to='Check Answers'/>

<WorkflowEditor x='540' y='137'/>

</Activity>

<Activity id='6' name='Check Answers'>

<Action id='0'>

<expression>

<block>

<set name='answersOK'>

<Boolean>true</Boolean>

</set>

<dolist name='iterator'>

<ref>selectedQuestions</ref>

<cond>

<neq>

<upcase>

<trim>

<invoke name='get'>

<ref>iterator</ref>

<s>answer</s>

</invoke>

</trim>

</upcase>

<invoke name='get'>

<ref>iterator</ref>

<s>origional_answer</s>

</invoke>

</neq>

<set name='answersOK'>

<Boolean>false</Boolean>

</set>

</cond>

</dolist>

<cond>

<isFalse>

<ref>answersOK</ref>

</isFalse>

<s>You must correctly answer all 3 questions</s>

</cond>

</block>

</expression>

</Action>

<Transition to='Get Answers'>

<isFalse>

<ref>answersOK</ref>

</isFalse>

</Transition>

<Transition to='resetPassword'/>

<WorkflowEditor x='468' y='248'/>

</Activity>

<Activity id='7' name='SetResetPasswordMessage'>

<Comments>Too many attemps; lock the account will be locked for the next 30 minutes.</Comments>

<Action id='0' application='SET_RESULT'>

<Argument name='name' value='WFExitMessage'/>

<Argument name='type' value='String'/>

<Argument name='value' value='Your password has been reset. Please check your email.'/>

</Action>

<Transition to='end'/>

<WorkflowEditor x='618' y='166'/>

</Activity>

<Activity id='8' name='SetTooManyAttemptsMessage'>

<Comments>Too many attemps; lock the account will be locked for the next 30 minutes.</Comments>

<Action id='0' application='SET_RESULT'>

<Argument name='name' value='WFExitMessage'/>

<Argument name='type' value='String'/>

<Argument name='value' value='Too many attemps; your account will be locked for the next 30 minutes.'/>

</Action>

<Transition to='end'/>

<WorkflowEditor x='626' y='27'/>

</Activity>

<Activity id='9' name='SetExitMessage'>

<Comments>Give one common error message so that hackers cannot 'guess' information about or users.</Comments>

<Action id='0' application='SET_RESULT'>

<Argument name='name' value='WFExitMessage'/>

<Argument name='type' value='String'/>

<Argument name='value' value='Due to a problem with your data we cannot authenticate you using the security questions. Your UserID does not exists, your email address is missing or invalid or you have not answered the security questions.'/>

</Action>

<Transition to='end'/>

<WorkflowEditor x='319' y='10'/>

</Activity>

<Activity id='10' name='end'>

<WorkflowEditor x='421' y='10'/>

</Activity>

<Activity id='11' name='resetPassword'>

<Action id='0' name='Prelude'>

<expression>

<set name='actionWF'>

<s>resetPassword</s>

</set>

</expression>

</Action>

<Action id='1' process='Reset the Password'>

<Argument name='adminEmailAddress'/>

<Argument name='notificationEmailToAddress'>

<Boolean>false</Boolean>

</Argument>

<Argument name='accountId' value='$(accountId)'/>

<Return from='result' to='result'/>

<SubProcess>

<ObjectRef type='Configuration' name='TaskSubProc-ResetPassword'/>

</SubProcess>

</Action>

<Transition to='SetResetPasswordMessage'/>

<WorkflowEditor x='698' y='248'/>

</Activity>

<Activity id='12' name='SetCanceledMessage'>

<Comments>Set the message that the action is canceled.</Comments>

<Action id='0' application='SET_RESULT'>

<Argument name='name' value='WFExitMessage'/>

<Argument name='type' value='String'/>

<Argument name='value' value='You canceled answering the authentication questions.'/>

</Action>

<Transition to='end'/>

<WorkflowEditor x='403' y='90'/>

</Activity>

</WFProcess>

</Extension>

<Description>Reset the User's password after the security questions are answered correctly.</Description>

<MemberObjectGroups>

<ObjectRef type='ObjectGroup' id='#ID#Top' name='Top'/>

</MemberObjectGroups>

</TaskDefinition>

therijn at 2007-7-7 3:16:39 > top of Java-index,Web & Directory Servers,Directory Servers...
Web & Directory Servers
Directory Servers

Web & Directory Servers New Topic

Web & Directory Servers Hot Topic

Web & Directory Servers

All Classified