Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-4983

New feature to reclaim a user account - Using Security Questions

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Major
    • Resolution: Implemented
    • Affects Version/s: Trunk
    • Fix Version/s: 16.11.01
    • Component/s: framework
    • Labels:
      None
    • Sprint:
      Bug Crush Event - 21/2/2015

      Description

      Referring to Vikas's proposed model on Reclaiming User Account using security questions as follows :

      "When a customer create an account on eCommerce site, he will also
      need to answer few security questions. We can enforce restriction on
      the minimum number of questions that must be answered by a user before
      creating his profile successfully, through some configurations which
      are discussed in the next section. These security questions then can
      be used to reclaim the customer account in case he forget his
      password. User can also be given a choice to add his own custom
      questions and this would be enable/disabled again through some
      configurations.

      If the user correctly answer minimum required questions while
      reclaiming his account, password will be send through email
      notifications. This part would work in the same way as the existing
      functionality of email password (forget password)."

      We would probably need the screens to configures

      1) Security Question in the system.
      These questions will be called as Standard security questions and can
      only be entered by an admin (or a person with similar sort of
      privileges). These questions will be available to every user who
      create or update his profile.

      2) Giving user an option to create his own custom security questions.
      A configuration/property that would determine whether this option is
      available to the user or not. These questions will be called as Custom
      security questions and can entered only by a user while creating or
      updating a profile. These questions will be available and applicable
      only to the owner of the questions, i.e the user who create these
      questions.

      3) Minimum number of questions that are required to answer.
      This configuration/property would determine minimum number of
      questions that a user must answer while creating an account and as
      well as reclaiming an account.

      I think we can save above (#1, #2) configuration in database and
      provide screens to configure them. IMO, these configuration can be
      also called as a security configuration, since they are some how
      related to security.

      At this moment I have not much idea about where these sort of
      configuration should be saved but this could be part of the entity
      that saves the security configurations (which does not exist at this
      moment). In recent days certain properties are moved to entities and
      this could certainly be the done with security properties at certain
      point of time, until then these configuration can be kept under
      security properties file.

      Custom Data Model:

      The new entities that would be required for this feature are following
      (Scott did help in improving the data model few months back):

      SecurityQuestion: Security Question in the system. These questions can
      be standard (added by admin and are visible/available to every new
      user while creating a new account) as well as custom questions (added
      by a user). We can differentiate between the type of questions using
      questionTypeEnumId (STANDARD or CUSTOM) as defined in the data model
      below.

      PartySecurityQuestion: All the questions that are related to a User.
      They can be mix of both Standard as well as Custom.

      UserLoginSecurityQuestion: An entity to capture the answer of the
      security question and tying it to a UserLogin very much like a
      UserLoginSecurityGroup. When a User reclaim his account, the question
      answered by this user would be matched with the answer of the
      questions (corresponding to that user) in this entity.

      <entity entity-name="SecurityQuestion" package-
      name="org.ofbiz.security.login">
      <field name="questionId" type="id-ne"></field>
      <field name="questionTypeEnumId" type="id-ne"></field>
      <field name="question" type="very-long" ></field>
      <prim-key field="questionId"/>
      <relation rel-entity-name="Enumeration" type="one" fk-
      name="SECQ_ENUM" title="QuestionType">
      <key-map field-name="questionTypeEnumId" rel-field-
      name="enumId"/>
      </relation>
      </entity>

      <entity entity-name="PartySecurityQuestion" package-
      name="org.ofbiz.security.login">
      <field name="questionId" type="id-ne"></field>
      <field name="partyId" type="id-ne"></field>
      <prim-key field="questionId"/>
      <prim-key field="partyId"/>
      <relation rel-entity-name="SecurityQuestion" type="one" fk-
      name="PTYSECQ_SECQ">
      <key-map field-name="questionId"/>
      </relation>
      <relation type="one" rel-entity-name="Party" fk-
      name="PTYSECQ_PTY">
      <key-map field-name="partyId"/>
      </relation>
      </entity>

      <entity entity-name="UserLoginSecurityQuestion" package-
      name="org.ofbiz.security.login">
      <field name="questionId" type="id-ne"></field>
      <field name="userLoginId" type="id-vlong-ne"></field>
      <field name="question" type="very-long"></field>
      <field name="answer" type="short-varchar"></field>
      <prim-key field="questionId"/>
      <prim-key field="userLoginId"/>
      <relation rel-entity-name="SecurityQuestion" type="one" fk-
      name="ULGNSECQ_SECQ">
      <key-map field-name="questionId"/>
      </relation>
      <relation rel-entity-name="UserLogin" type="one" fk-
      name="ULGNSECQ_ULGN">
      <key-map field-name="userLoginId"/>
      </relation>
      </entity>
      </entitymodel>

      As per David's Comments :

      This looks like a great enhancement and this write-up is well thought
      out. Thanks for sharing it and soliciting feedback.

      About the data model, I'd recommend leaving out the
      PartySecurityQuestion entity. It introduces a dependency on the Party
      entity which is in a higher level component, and it appears that the
      UserLoginSecurityQuestion entity is adequate and since authentication
      is a UserLogin thing (and not a Party thing) it is better and makes
      more sense there anyway.

      -David

      1. 1.png
        39 kB
        Harsha Chadhar
      2. 2.png
        45 kB
        Harsha Chadhar
      3. 3.png
        65 kB
        Harsha Chadhar
      4. 4.png
        17 kB
        Harsha Chadhar
      5. 5.png
        60 kB
        Harsha Chadhar
      6. email received in French though the language was English.png
        4 kB
        Jacques Le Roux
      7. no username.png
        43 kB
        Jacques Le Roux
      8. OFBIZ-4983.patch
        44 kB
        Jacques Le Roux
      9. OFBIZ-4983.patch
        45 kB
        Jacques Le Roux
      10. OFBIZ-4983.patch
        45 kB
        Jacques Le Roux
      11. OFBIZ-4983.patch
        44 kB
        Jacques Le Roux
      12. OFBIZ-4983.patch
        40 kB
        Harsha Chadhar
      13. OFBIZ-4983.patch
        40 kB
        Harsha Chadhar
      14. OFBIZ-4983.patch
        38 kB
        Harsha Chadhar
      15. username was empty reenter.png
        53 kB
        Jacques Le Roux
      16. WithOutSecurityQuestionSet.JPG
        14 kB
        Harsha Chadhar
      17. WithSecurityQuestionSet.JPG
        19 kB
        Harsha Chadhar

        Issue Links

          Activity

          Hide
          harshac Harsha Chadhar added a comment - - edited

          The modifications in above proposal incorporating David's comment are :

          1. Doesn't require PartySecurityQuestion, SecurityQuestion entity. The Entity Enumeration will work instead of these.
          2. The Questions will be defined in Enumeration in description field. The entity EnumerationType will define the type data for the type of questions.
          3. The UserLoginSecurityQuestion entity does not require question field, the reference enumId in entity Enumeration will suffice.

          The Entity UserLoginSecurityQuestion will be as follows :

          Type Data
          <entity entity-name="UserLoginSecurityQuestion" package-
              name="org.ofbiz.security.login">
            <field name="questionEnumId" type="id-ne"></field>
            <field name="userLoginId" type="id-vlong-ne"></field>
            <field name="answer" type="short-varchar"></field>
            <prim-key field="questionEnumId"/>
            <prim-key field="userLoginId"/>
            <relation rel-entity-name="Enumeration" type="one" fk-name="SECQ_ENUM">
              <key-map field-name="questionEnumId" rel-field-name="enumId"/>
            </relation>
            <relation rel-entity-name="UserLogin" type="one" fk-name="ULGNSECQ_ULGN">
              <key-map field-name="userLoginId"/>
            </relation>
          </entity>
          
          1. The Type Data will be as follows :
          Type Data
          <EnumerationType enumTypeId="SECURITY_QUESTION" description="Security Question" lastUpdatedStamp="2012-08-07 15:51:53.197" lastUpdatedTxStamp="2012-08-07 15:51:53.197" createdStamp="2012-08-07 15:51:53.197" createdTxStamp="2012-08-07 15:51:53.197"/>
          <EnumerationType enumTypeId="SQ_CUSTOM" parentTypeId="SECURITY_QUESTION" description="Custom Security Question" lastUpdatedStamp="2012-08-07 16:07:34.052" lastUpdatedTxStamp="2012-08-07 16:07:34.052" createdStamp="2012-08-07 16:07:34.052" createdTxStamp="2012-08-07 16:07:34.052"/>
          <EnumerationType enumTypeId="SQ_STANDARD" parentTypeId="SECURITY_QUESTION" description="Standard Security Question" lastUpdatedStamp="2012-08-07 16:07:01.323" lastUpdatedTxStamp="2012-08-07 16:07:01.323" createdStamp="2012-08-07 16:07:01.323" createdTxStamp="2012-08-07 16:07:01.323"/>
          
          <Enumeration enumId="SQ_STD_NCKNM" enumTypeId="SQ_STANDARD" enumCode="" sequenceId="0" description="What is your nick name" lastUpdatedStamp="2011-09-11 17:47:41.348" lastUpdatedTxStamp="2011-09-11 17:47:41.26" createdStamp="2011-09-11 17:47:41.348" createdTxStamp="2011-09-11 17:47:41.26"/>
          <Enumeration enumId="SQ_STD_MOTNM" enumTypeId="SQ_STANDARD" enumCode="" sequenceId="1" description="What is your mother's maiden name" lastUpdatedStamp="2011-09-11 17:47:41.348" lastUpdatedTxStamp="2011-09-11 17:47:41.26" createdStamp="2011-09-11 17:47:41.348" createdTxStamp="2011-09-11 17:47:41.26"/>
          <Enumeration enumId="SQ_STD_FAVTCH" enumTypeId="SQ_STANDARD" enumCode="" sequenceId="2" description="What is your favorite teacher's name" lastUpdatedStamp="2011-09-11 17:47:41.348" lastUpdatedTxStamp="2011-09-11 17:47:41.26" createdStamp="2011-09-11 17:47:41.348" createdTxStamp="2011-09-11 17:47:41.26"/> 
          <Enumeration enumId="SQ_STD_BSTFRND" enumTypeId="SQ_STANDARD" enumCode="" sequenceId="3" description="Who is your best childhood friend" lastUpdatedStamp="2011-09-11 17:47:41.348" lastUpdatedTxStamp="2011-09-11 17:47:41.26" createdStamp="2011-09-11 17:47:41.348" createdTxStamp="2011-09-11 17:47:41.26"/>
          

          Please provide suggestions so that I can provide the implementation as per the best approach.

          Show
          harshac Harsha Chadhar added a comment - - edited The modifications in above proposal incorporating David's comment are : Doesn't require PartySecurityQuestion, SecurityQuestion entity. The Entity Enumeration will work instead of these. The Questions will be defined in Enumeration in description field. The entity EnumerationType will define the type data for the type of questions. The UserLoginSecurityQuestion entity does not require question field, the reference enumId in entity Enumeration will suffice. The Entity UserLoginSecurityQuestion will be as follows : Type Data <entity entity-name= "UserLoginSecurityQuestion" package - name= "org.ofbiz.security.login" > <field name= "questionEnumId" type= "id-ne" ></field> <field name= "userLoginId" type= "id-vlong-ne" ></field> <field name= "answer" type= " short -varchar" ></field> <prim-key field= "questionEnumId" /> <prim-key field= "userLoginId" /> <relation rel-entity-name= "Enumeration" type= "one" fk-name= "SECQ_ENUM" > <key-map field-name= "questionEnumId" rel-field-name= "enumId" /> </relation> <relation rel-entity-name= "UserLogin" type= "one" fk-name= "ULGNSECQ_ULGN" > <key-map field-name= "userLoginId" /> </relation> </entity> The Type Data will be as follows : Type Data <EnumerationType enumTypeId= "SECURITY_QUESTION" description= "Security Question" lastUpdatedStamp= "2012-08-07 15:51:53.197" lastUpdatedTxStamp= "2012-08-07 15:51:53.197" createdStamp= "2012-08-07 15:51:53.197" createdTxStamp= "2012-08-07 15:51:53.197" /> <EnumerationType enumTypeId= "SQ_CUSTOM" parentTypeId= "SECURITY_QUESTION" description= "Custom Security Question" lastUpdatedStamp= "2012-08-07 16:07:34.052" lastUpdatedTxStamp= "2012-08-07 16:07:34.052" createdStamp= "2012-08-07 16:07:34.052" createdTxStamp= "2012-08-07 16:07:34.052" /> <EnumerationType enumTypeId= "SQ_STANDARD" parentTypeId= "SECURITY_QUESTION" description= "Standard Security Question" lastUpdatedStamp= "2012-08-07 16:07:01.323" lastUpdatedTxStamp= "2012-08-07 16:07:01.323" createdStamp= "2012-08-07 16:07:01.323" createdTxStamp= "2012-08-07 16:07:01.323" /> <Enumeration enumId= "SQ_STD_NCKNM" enumTypeId= "SQ_STANDARD" enumCode= "" sequenceId=" 0 " description=" What is your nick name " lastUpdatedStamp=" 2011-09-11 17:47:41.348 " lastUpdatedTxStamp=" 2011-09-11 17:47:41.26 " createdStamp=" 2011-09-11 17:47:41.348 " createdTxStamp=" 2011-09-11 17:47:41.26"/> <Enumeration enumId= "SQ_STD_MOTNM" enumTypeId= "SQ_STANDARD" enumCode= "" sequenceId=" 1 " description=" What is your mother's maiden name " lastUpdatedStamp=" 2011-09-11 17:47:41.348 " lastUpdatedTxStamp=" 2011-09-11 17:47:41.26 " createdStamp=" 2011-09-11 17:47:41.348 " createdTxStamp=" 2011-09-11 17:47:41.26"/> <Enumeration enumId= "SQ_STD_FAVTCH" enumTypeId= "SQ_STANDARD" enumCode= "" sequenceId=" 2 " description=" What is your favorite teacher's name " lastUpdatedStamp=" 2011-09-11 17:47:41.348 " lastUpdatedTxStamp=" 2011-09-11 17:47:41.26 " createdStamp=" 2011-09-11 17:47:41.348 " createdTxStamp=" 2011-09-11 17:47:41.26"/> <Enumeration enumId= "SQ_STD_BSTFRND" enumTypeId= "SQ_STANDARD" enumCode= "" sequenceId=" 3 " description=" Who is your best childhood friend " lastUpdatedStamp=" 2011-09-11 17:47:41.348 " lastUpdatedTxStamp=" 2011-09-11 17:47:41.26 " createdStamp=" 2011-09-11 17:47:41.348 " createdTxStamp=" 2011-09-11 17:47:41.26"/> Please provide suggestions so that I can provide the implementation as per the best approach.
          Hide
          harshac Harsha Chadhar added a comment -

          In above proposal it has been suggested that the user while creating account is required to enter minimum number of security questions so that while recovering his account details he can only do it by answering correctly these security questions.
          Currently while reclaiming account details through mail the new/current password is sent in the mail body. In provided implementation following has been achieved with a slight modification in existing approach :

          As the user clicks on the forgot password link and selects the email password option, the link to reset password will be sent over the mail as follows:

          1. The current password will be an encrypted password sent as an input parameter over the email.
          2. As the user clicks on the reset password link and he is redirected to change/reset password screen, which will have the current password as a hidden input field.
          3. The user will be required to enter a new password and confirm password values in Reset Password screen.
          4. The user is required to answer the security question which he has chosen while creating user/registration. If he has not selected any security question then the default change password screen will be displayed.
          5. Once all of the above conditions are fulfilled the user will be allowed to reset the password.

          The Current implementation restrict the user to enter at least one security question while creating account, this may be enhanced to a set of minimum number in later patches.

          Implementation details :

          UI Changes :

          • CreateUser : Select box and text box has been added for Security Question and Answer. (Create Employee/ Create Prospect/ Create Customer).
          • CreateUserLogin (partymgr/Security): Select box and text box has been added for Security Question and Answer.
          • Reset Password Email : Removed password text from email body, replaced by a form where auto generated encrypted password (current password) is sent as hidden value.

          Service Changes :

          • createUser/createUserLogin : Create UserLoginSecurityQuestion record for pair of Security Question & answer if provided.
          • CRUD services for UserLoginSecurityQuestion entity.

          Testing prerequisites :

          • Mail settings to be done in general.properties.
          • The demo data provided above need to be imported.

          Testing Steps :

          • Create a Party(Customer/Employee/Prospect) from partymgr. Select a security question from the given options, answer it and submit.
          • Go to login page (ex : https://<yourhost>/partymgr/control/login).
          • Click on the "forgot password" link.
          • Enter the username and click on continue.
          • Answer the security question corresponding to the one selected while creating account.
          • Click on the Email Password link.
          • Check the received mail, click on the "Click here to Reset Password" link.
          • In the reset password form enter the Current Password/ Verify Password and answer of the corresponding Security question.
          • Once all details are correctly entered the user is allowed to login to the application.

          Future enhancements may include :

          1. Implementation of the feature for eCommerce screens.
          2. The minimum number of Security Question to be answered by the user while creating account can be more than one, including the capability of defining his/her own custom security questions.

          Please find the patch in attachment along with the to-be screens screenshots.

          Show
          harshac Harsha Chadhar added a comment - In above proposal it has been suggested that the user while creating account is required to enter minimum number of security questions so that while recovering his account details he can only do it by answering correctly these security questions. Currently while reclaiming account details through mail the new/current password is sent in the mail body. In provided implementation following has been achieved with a slight modification in existing approach : As the user clicks on the forgot password link and selects the email password option, the link to reset password will be sent over the mail as follows: The current password will be an encrypted password sent as an input parameter over the email. As the user clicks on the reset password link and he is redirected to change/reset password screen, which will have the current password as a hidden input field. The user will be required to enter a new password and confirm password values in Reset Password screen. The user is required to answer the security question which he has chosen while creating user/registration. If he has not selected any security question then the default change password screen will be displayed. Once all of the above conditions are fulfilled the user will be allowed to reset the password. The Current implementation restrict the user to enter at least one security question while creating account, this may be enhanced to a set of minimum number in later patches. Implementation details : UI Changes : CreateUser : Select box and text box has been added for Security Question and Answer. (Create Employee/ Create Prospect/ Create Customer). CreateUserLogin (partymgr/Security): Select box and text box has been added for Security Question and Answer. Reset Password Email : Removed password text from email body, replaced by a form where auto generated encrypted password (current password) is sent as hidden value. Service Changes : createUser/createUserLogin : Create UserLoginSecurityQuestion record for pair of Security Question & answer if provided. CRUD services for UserLoginSecurityQuestion entity. Testing prerequisites : Mail settings to be done in general.properties. The demo data provided above need to be imported. Testing Steps : Create a Party(Customer/Employee/Prospect) from partymgr. Select a security question from the given options, answer it and submit. Go to login page (ex : https://<yourhost>/partymgr/control/login). Click on the "forgot password" link. Enter the username and click on continue. Answer the security question corresponding to the one selected while creating account. Click on the Email Password link. Check the received mail, click on the "Click here to Reset Password" link. In the reset password form enter the Current Password/ Verify Password and answer of the corresponding Security question. Once all details are correctly entered the user is allowed to login to the application. Future enhancements may include : Implementation of the feature for eCommerce screens. The minimum number of Security Question to be answered by the user while creating account can be more than one, including the capability of defining his/her own custom security questions. Please find the patch in attachment along with the to-be screens screenshots.
          Hide
          harshac Harsha Chadhar added a comment -

          Screenshot details :
          1.png : The to-be screen that will be displayed as the user clicks on forgot password link.
          2.png : To be screen which is displayed after the above step.
          3.png : The to-be screen for the Create User(Employee/prospect/customer) screens.
          4.png : The sample email received which will consist of a link which onclick redirects the user to the reset password screen.
          5.png : The to-be customized reset password screen.

          Show
          harshac Harsha Chadhar added a comment - Screenshot details : 1.png : The to-be screen that will be displayed as the user clicks on forgot password link. 2.png : To be screen which is displayed after the above step. 3.png : The to-be screen for the Create User(Employee/prospect/customer) screens. 4.png : The sample email received which will consist of a link which onclick redirects the user to the reset password screen. 5.png : The to-be customized reset password screen.
          Hide
          harshac Harsha Chadhar added a comment - - edited

          Also please provide suggestion that in which data file we can include the demo data provided above.

          Show
          harshac Harsha Chadhar added a comment - - edited Also please provide suggestion that in which data file we can include the demo data provided above.
          Hide
          progaurav@gmail.com Gaurav Aggarwal added a comment -

          +1 for this new feature.

          Show
          progaurav@gmail.com Gaurav Aggarwal added a comment - +1 for this new feature.
          Hide
          jacques.le.roux Jacques Le Roux added a comment -

          Hi Gaurav,

          Did you test it and/or review it? Please then add your vote using the Jira voting feature, thanks.

          Show
          jacques.le.roux Jacques Le Roux added a comment - Hi Gaurav, Did you test it and/or review it? Please then add your vote using the Jira voting feature, thanks.
          Hide
          jacques.le.roux Jacques Le Roux added a comment -

          BTW, I see that you guys, Sumit and Leon voted for. Did you review or/and test?

          Show
          jacques.le.roux Jacques Le Roux added a comment - BTW, I see that you guys, Sumit and Leon voted for. Did you review or/and test?
          Hide
          sumitp Sumit Pandit added a comment -

          Hi Jacques,
          Following are my comments -
          a. Functional requirement : It is a kind of feature which is good to have for user security within the system. +1.
          b. Datamodel suggested : Defining question in Enumeration is good option.
          c. First phase of implementation is good for having one security question fornow, then later it can be modify to support multiple security questions to reclaim user account.
          d. Patch looks find in first look.
          e. Will do further review analysis and test it today.

          Show
          sumitp Sumit Pandit added a comment - Hi Jacques, Following are my comments - a. Functional requirement : It is a kind of feature which is good to have for user security within the system. +1. b. Datamodel suggested : Defining question in Enumeration is good option. c. First phase of implementation is good for having one security question fornow, then later it can be modify to support multiple security questions to reclaim user account. d. Patch looks find in first look. e. Will do further review analysis and test it today.
          Hide
          jacques.le.roux Jacques Le Roux added a comment -

          Other reviews?

          Show
          jacques.le.roux Jacques Le Roux added a comment - Other reviews?
          Hide
          harshac Harsha Chadhar added a comment -

          Providing updated patch with some refinements.

          Show
          harshac Harsha Chadhar added a comment - Providing updated patch with some refinements.
          Hide
          sumitp Sumit Pandit added a comment -

          Hi Jacques and all, Tested the patch it is functioning as described.
          Referring to comment posted at Apr 03, 14:48, what would be the best file to drop following data

          In my opinion PartyTypeData.xml could be a option.

          <EnumerationType enumTypeId="SECURITY_QUESTION" description="Security Question" lastUpdatedStamp="2012-08-07 15:51:53.197" lastUpdatedTxStamp="2012-08-07 15:51:53.197" createdStamp="2012-08-07 15:51:53.197" createdTxStamp="2012-08-07 15:51:53.197"/>
          <EnumerationType enumTypeId="SQ_CUSTOM" parentTypeId="SECURITY_QUESTION" description="Custom Security Question" lastUpdatedStamp="2012-08-07 16:07:34.052" lastUpdatedTxStamp="2012-08-07 16:07:34.052" createdStamp="2012-08-07 16:07:34.052" createdTxStamp="2012-08-07 16:07:34.052"/>
          <EnumerationType enumTypeId="SQ_STANDARD" parentTypeId="SECURITY_QUESTION" description="Standard Security Question" lastUpdatedStamp="2012-08-07 16:07:01.323" lastUpdatedTxStamp="2012-08-07 16:07:01.323" createdStamp="2012-08-07 16:07:01.323" createdTxStamp="2012-08-07 16:07:01.323"/>
          
          <Enumeration enumId="SQ_STD_NCKNM" enumTypeId="SQ_STANDARD" enumCode="" sequenceId="0" description="What is your nick name" lastUpdatedStamp="2011-09-11 17:47:41.348" lastUpdatedTxStamp="2011-09-11 17:47:41.26" createdStamp="2011-09-11 17:47:41.348" createdTxStamp="2011-09-11 17:47:41.26"/>
          <Enumeration enumId="SQ_STD_MOTNM" enumTypeId="SQ_STANDARD" enumCode="" sequenceId="1" description="What is your mother's maiden name" lastUpdatedStamp="2011-09-11 17:47:41.348" lastUpdatedTxStamp="2011-09-11 17:47:41.26" createdStamp="2011-09-11 17:47:41.348" createdTxStamp="2011-09-11 17:47:41.26"/>
          <Enumeration enumId="SQ_STD_FAVTCH" enumTypeId="SQ_STANDARD" enumCode="" sequenceId="2" description="What is your favorite teacher's name" lastUpdatedStamp="2011-09-11 17:47:41.348" lastUpdatedTxStamp="2011-09-11 17:47:41.26" createdStamp="2011-09-11 17:47:41.348" createdTxStamp="2011-09-11 17:47:41.26"/> 
          <Enumeration enumId="SQ_STD_BSTFRND" enumTypeId="SQ_STANDARD" enumCode="" sequenceId="3" description="Who is your best childhood friend" lastUpdatedStamp="2011-09-11 17:47:41.348" lastUpdatedTxStamp="2011-09-11 17:47:41.26" createdStamp="2011-09-11 17:47:41.348" createdTxStamp="2011-09-11 17:47:41.26"/>
          

          Please suggest.

          Show
          sumitp Sumit Pandit added a comment - Hi Jacques and all, Tested the patch it is functioning as described. Referring to comment posted at Apr 03, 14:48, what would be the best file to drop following data In my opinion PartyTypeData.xml could be a option. <EnumerationType enumTypeId= "SECURITY_QUESTION" description= "Security Question" lastUpdatedStamp= "2012-08-07 15:51:53.197" lastUpdatedTxStamp= "2012-08-07 15:51:53.197" createdStamp= "2012-08-07 15:51:53.197" createdTxStamp= "2012-08-07 15:51:53.197" /> <EnumerationType enumTypeId= "SQ_CUSTOM" parentTypeId= "SECURITY_QUESTION" description= "Custom Security Question" lastUpdatedStamp= "2012-08-07 16:07:34.052" lastUpdatedTxStamp= "2012-08-07 16:07:34.052" createdStamp= "2012-08-07 16:07:34.052" createdTxStamp= "2012-08-07 16:07:34.052" /> <EnumerationType enumTypeId= "SQ_STANDARD" parentTypeId= "SECURITY_QUESTION" description= "Standard Security Question" lastUpdatedStamp= "2012-08-07 16:07:01.323" lastUpdatedTxStamp= "2012-08-07 16:07:01.323" createdStamp= "2012-08-07 16:07:01.323" createdTxStamp= "2012-08-07 16:07:01.323" /> <Enumeration enumId= "SQ_STD_NCKNM" enumTypeId= "SQ_STANDARD" enumCode= "" sequenceId=" 0 " description=" What is your nick name " lastUpdatedStamp=" 2011-09-11 17:47:41.348 " lastUpdatedTxStamp=" 2011-09-11 17:47:41.26 " createdStamp=" 2011-09-11 17:47:41.348 " createdTxStamp=" 2011-09-11 17:47:41.26"/> <Enumeration enumId= "SQ_STD_MOTNM" enumTypeId= "SQ_STANDARD" enumCode= "" sequenceId=" 1 " description=" What is your mother's maiden name " lastUpdatedStamp=" 2011-09-11 17:47:41.348 " lastUpdatedTxStamp=" 2011-09-11 17:47:41.26 " createdStamp=" 2011-09-11 17:47:41.348 " createdTxStamp=" 2011-09-11 17:47:41.26"/> <Enumeration enumId= "SQ_STD_FAVTCH" enumTypeId= "SQ_STANDARD" enumCode= "" sequenceId=" 2 " description=" What is your favorite teacher's name " lastUpdatedStamp=" 2011-09-11 17:47:41.348 " lastUpdatedTxStamp=" 2011-09-11 17:47:41.26 " createdStamp=" 2011-09-11 17:47:41.348 " createdTxStamp=" 2011-09-11 17:47:41.26"/> <Enumeration enumId= "SQ_STD_BSTFRND" enumTypeId= "SQ_STANDARD" enumCode= "" sequenceId=" 3 " description=" Who is your best childhood friend " lastUpdatedStamp=" 2011-09-11 17:47:41.348 " lastUpdatedTxStamp=" 2011-09-11 17:47:41.26 " createdStamp=" 2011-09-11 17:47:41.348 " createdTxStamp=" 2011-09-11 17:47:41.26"/> Please suggest.
          Hide
          jacques.le.roux Jacques Le Roux added a comment -

          Thanks for report Sumit,

          Any other volunters? Leon I saw you voted, did you review or/and test?

          Show
          jacques.le.roux Jacques Le Roux added a comment - Thanks for report Sumit, Any other volunters? Leon I saw you voted, did you review or/and test?
          Hide
          ankit.jain Ankit Jain added a comment -

          Hi,

          This is a good feature to add in ofbiz.

          I have applied your patch, and tested it by loading the enumeration data, security question displayed and the party is created. Then on the forgot password gave the answer of security question and clicked on send password.

          I received an email with a button to reset password. It takes me to change password page. I have entered the new password and answer the security question. On clicking on submit it redirects me to the same change password page and the password not changed. On console I get some error :

          [Java] Expression parameters.password is undefined on line 39, column 63 in component://common/webcommon/changePassword.ftl.
          [java] The problematic instruction:
          [java] ----------
          [java] ==> $

          {parameters.password}

          [on line 39, column 61 in component://common/webcommon/changePassword.ftl]
          [java] ----------
          [java]
          [java] Java backtrace for programmers:
          [java] ----------
          [java] freemarker.core.InvalidReferenceException: Expression parameters.password is undefined on line 39, column 63 in component://common/webcommon/changePassword.ftl.
          [java] at freemarker.core.TemplateObject.assertNonNull(TemplateObject.java:125)
          [java] at freemarker.core.Expression.getStringValue(Expression.java:118)
          [java] at freemarker.core.Expression.getStringValue(Expression.java:93)
          [java] at freemarker.core.DollarVariable.accept(DollarVariable.java:76)
          [java] at freemarker.core.Environment.visit(Environment.java:221)
          [java] at freemarker.core.MixedContent.accept(MixedContent.java:92)
          [java] at freemarker.core.Environment.visit(Environment.java:221)
          [java] at freemarker.core.IfBlock.accept(IfBlock.java:82)
          [java] at freemarker.core.Environment.visit(Environment.java:221)
          [java] at freemarker.core.MixedContent.accept(MixedContent.java:92)
          [java] at freemarker.core.Environment.visit(Environment.java:221)
          [java] at freemarker.core.Environment.process(Environment.java:199)

          Please have a look I have applied your patch on trunk.

          Few suggestions :

          1) Instead of giving button there should be a reset password link in the mail, which is generally followed everywhere.
          2) When click on the button(Reset password) in the mail it redirects me to change password page, so here again asking the security question is redundant. Because at the time of forgot password the one has already answered the question.

          IMO we should not send the old password in the mail as a hidden field, we should handle this at our end. Then we also don't need to decrypt the password here.

          Rest the feature is good and should have in ofbiz and other things and code looks good to me.

          Thanks Harsha for working on this.

          Thanks & Regards,
          Ankit

          Show
          ankit.jain Ankit Jain added a comment - Hi, This is a good feature to add in ofbiz. I have applied your patch, and tested it by loading the enumeration data, security question displayed and the party is created. Then on the forgot password gave the answer of security question and clicked on send password. I received an email with a button to reset password. It takes me to change password page. I have entered the new password and answer the security question. On clicking on submit it redirects me to the same change password page and the password not changed. On console I get some error : [Java] Expression parameters.password is undefined on line 39, column 63 in component://common/webcommon/changePassword.ftl. [java] The problematic instruction: [java] ---------- [java] ==> $ {parameters.password} [on line 39, column 61 in component://common/webcommon/changePassword.ftl] [java] ---------- [java] [java] Java backtrace for programmers: [java] ---------- [java] freemarker.core.InvalidReferenceException: Expression parameters.password is undefined on line 39, column 63 in component://common/webcommon/changePassword.ftl. [java] at freemarker.core.TemplateObject.assertNonNull(TemplateObject.java:125) [java] at freemarker.core.Expression.getStringValue(Expression.java:118) [java] at freemarker.core.Expression.getStringValue(Expression.java:93) [java] at freemarker.core.DollarVariable.accept(DollarVariable.java:76) [java] at freemarker.core.Environment.visit(Environment.java:221) [java] at freemarker.core.MixedContent.accept(MixedContent.java:92) [java] at freemarker.core.Environment.visit(Environment.java:221) [java] at freemarker.core.IfBlock.accept(IfBlock.java:82) [java] at freemarker.core.Environment.visit(Environment.java:221) [java] at freemarker.core.MixedContent.accept(MixedContent.java:92) [java] at freemarker.core.Environment.visit(Environment.java:221) [java] at freemarker.core.Environment.process(Environment.java:199) Please have a look I have applied your patch on trunk. Few suggestions : 1) Instead of giving button there should be a reset password link in the mail, which is generally followed everywhere. 2) When click on the button(Reset password) in the mail it redirects me to change password page, so here again asking the security question is redundant. Because at the time of forgot password the one has already answered the question. IMO we should not send the old password in the mail as a hidden field, we should handle this at our end. Then we also don't need to decrypt the password here. Rest the feature is good and should have in ofbiz and other things and code looks good to me. Thanks Harsha for working on this. Thanks & Regards, Ankit
          Hide
          harshac Harsha Chadhar added a comment -

          I see, got what is happening. Following are the observations for comments -

          • You need to understand the functional behavior well or debug the code more.
          • To understand why it is failing, look at comments at OFBIZ-5176.

          Due to access limitation, This patch was generated with a bit older version of code(1 month). Attaching an updated patch with latest version.

          Since it is a big implementation, issue will be completed in phases, in next patch additional validations will be applied in support of success and failure scenarios.

          Show
          harshac Harsha Chadhar added a comment - I see, got what is happening. Following are the observations for comments - You need to understand the functional behavior well or debug the code more. To understand why it is failing, look at comments at OFBIZ-5176 . Due to access limitation, This patch was generated with a bit older version of code(1 month). Attaching an updated patch with latest version. Since it is a big implementation, issue will be completed in phases, in next patch additional validations will be applied in support of success and failure scenarios.
          Hide
          jacques.le.roux Jacques Le Roux added a comment -

          Thanks Ankit for reporting this issue.

          Harsha, I put comment at OFBIZ-5176, I did not detect this issue when committing and I agree we should revert the line change as Sumit suggests. What about Ankit's suggestions?

          It's good to see such a good collaboration! If all issues could receive as much attention we would progress much better

          Show
          jacques.le.roux Jacques Le Roux added a comment - Thanks Ankit for reporting this issue. Harsha, I put comment at OFBIZ-5176 , I did not detect this issue when committing and I agree we should revert the line change as Sumit suggests. What about Ankit's suggestions? It's good to see such a good collaboration! If all issues could receive as much attention we would progress much better
          Hide
          jacques.le.roux Jacques Le Roux added a comment -

          OFBIZ-5176 has been fixed

          Show
          jacques.le.roux Jacques Le Roux added a comment - OFBIZ-5176 has been fixed
          Hide
          sumitp Sumit Pandit added a comment - - edited

          Referring Ankit's suggestion,

          It doesn't seems as redundant, it is two different points of action, requesting for auto-generated password is first action and updating password with is generated password second action point. It should be implemented secured at both level.

          As per sending password in hidden field concerned, in current system auto-generated password sent over email, which is not considered secured. It should encrypted as it is proposed in implementation plan. Also at the time of reset password, the current password required and which is passed via email in encrypted way. That's why user to provide new password, secured by security question.

          Show
          sumitp Sumit Pandit added a comment - - edited Referring Ankit's suggestion, It doesn't seems as redundant, it is two different points of action, requesting for auto-generated password is first action and updating password with is generated password second action point. It should be implemented secured at both level. As per sending password in hidden field concerned, in current system auto-generated password sent over email, which is not considered secured. It should encrypted as it is proposed in implementation plan. Also at the time of reset password, the current password required and which is passed via email in encrypted way. That's why user to provide new password, secured by security question.
          Hide
          jacques.le.roux Jacques Le Roux added a comment -

          Thanks Sumit,

          I will soon review, test and commit this 1st phase if all is OK.

          Show
          jacques.le.roux Jacques Le Roux added a comment - Thanks Sumit, I will soon review, test and commit this 1st phase if all is OK.
          Hide
          utcb Leon added a comment -

          Sorry for late. My test result:

          1. create a new userLogin with security question set.
          2. use this new userLogin to login system to make sure it works.
          3. logout. and then click link "Forgot Your Password?"
          4. input userLogin name, click "continue" button
          5. Security question appears. – as expected.
          5.1. if I click "Get password hint" or "Email password" button directly, Errors Occurred with msg "The security answer is missing". --nice feature. No need to worry again that someone else will get your password hint or disable your userLogin randomly
          5.2. or input wrong security answer, click either button, Errors Occurred with msg "The answer does not match records, re-enter". --just as expected
          6. if input correct security answer, click "Get password Hint", the password hint is displayed as successful message and page is redirected to login page. – correctly
          7. if input correct security answer, click "Email password", it's then redirected to login page with successful message "A new password has been created and sent to you. Please check your Email."
          7.1. check the back-end in another browser, the "Required to change password" property of this user login is set to "Y" and the password hint is also changed to "Auto-Generated Password" – right, right
          8. Very quickly, got the email. click button "Click here to reset password" in email to navigate to pasword change page. Input the new password and new security answer, submit. – successfully
          8.1 one suggestion: it's better use link instead of button in email body. Sometimes I can copy the link out to another browser
          8.2 one question: I test on "localhost:8443", but the site of submit url in email body is my LAN ip address (such as https://10.x.x.x:8443/ ...).
          9. use new password to login – successfully

          All functions I tested so far work very well just as Harsha described for 1st phase.

          Thanks Harsha for working on this.

          Show
          utcb Leon added a comment - Sorry for late. My test result: 1. create a new userLogin with security question set. 2. use this new userLogin to login system to make sure it works. 3. logout. and then click link "Forgot Your Password?" 4. input userLogin name, click "continue" button 5. Security question appears. – as expected. 5.1. if I click "Get password hint" or "Email password" button directly, Errors Occurred with msg "The security answer is missing". -- nice feature. No need to worry again that someone else will get your password hint or disable your userLogin randomly 5.2. or input wrong security answer, click either button, Errors Occurred with msg "The answer does not match records, re-enter". -- just as expected 6. if input correct security answer, click "Get password Hint", the password hint is displayed as successful message and page is redirected to login page. – correctly 7. if input correct security answer, click "Email password", it's then redirected to login page with successful message "A new password has been created and sent to you. Please check your Email." 7.1. check the back-end in another browser, the "Required to change password" property of this user login is set to "Y" and the password hint is also changed to "Auto-Generated Password" – right, right 8. Very quickly, got the email. click button "Click here to reset password" in email to navigate to pasword change page. Input the new password and new security answer, submit. – successfully 8.1 one suggestion: it's better use link instead of button in email body. Sometimes I can copy the link out to another browser 8.2 one question: I test on "localhost:8443", but the site of submit url in email body is my LAN ip address (such as https://10.x.x.x:8443/ ...). 9. use new password to login – successfully All functions I tested so far work very well just as Harsha described for 1st phase . Thanks Harsha for working on this.
          Hide
          jacques.le.roux Jacques Le Roux added a comment -

          Thanks for you help Leon, it' never too late

          Show
          jacques.le.roux Jacques Le Roux added a comment - Thanks for you help Leon, it' never too late
          Hide
          ankit.jain Ankit Jain added a comment - - edited

          Hi Harsha,

          Thanks for the updated patch found few nits

          I have checked with the latest patch,
          1) get an error [component://common/webcommon/getSecurityQuestion.ftl]: java.io.FileNotFoundException.
          Added manually from previous patch. File is missing in the lastest patch.
          2) Trying to click on the "Reset Password" link in the mail but it's not working. Then modified the code and again changed it to submit button. After clicking on the button, entered the new password, answered the question and the password changed I logged in successfully. Finally worked fine after these changes.

          Thanks Sumit for the clarification. For security purpose asking the security question at both the end is ok.

          As you said for "Reset password" the current password is required and in the current system also auto-generated password is send on mail. I think for changing passwordhttps://demo-trunk.ofbiz.apache.org:8443/partymgr/control/ProfileEditUserLogin?partyId=admin&userLoginId=admin current password should be required but not for the Reset password because we came from forgot password, user don't remember his/her password so he/she wants to Reset the password. And we don't need to send the current password as a hidden parameter.

          IMHO we should write a different service to handle reset password case we should not send the password in the mail. WDYT? Or we can create a different jira issue for this.

          Suggestions??

          Thanks!

          Show
          ankit.jain Ankit Jain added a comment - - edited Hi Harsha, Thanks for the updated patch found few nits I have checked with the latest patch, 1) get an error [component://common/webcommon/getSecurityQuestion.ftl] : java.io.FileNotFoundException. Added manually from previous patch. File is missing in the lastest patch. 2) Trying to click on the "Reset Password" link in the mail but it's not working. Then modified the code and again changed it to submit button. After clicking on the button, entered the new password, answered the question and the password changed I logged in successfully. Finally worked fine after these changes. Thanks Sumit for the clarification. For security purpose asking the security question at both the end is ok. As you said for "Reset password" the current password is required and in the current system also auto-generated password is send on mail. I think for changing password https://demo-trunk.ofbiz.apache.org:8443/partymgr/control/ProfileEditUserLogin?partyId=admin&userLoginId=admin current password should be required but not for the Reset password because we came from forgot password, user don't remember his/her password so he/she wants to Reset the password. And we don't need to send the current password as a hidden parameter. IMHO we should write a different service to handle reset password case we should not send the password in the mail. WDYT? Or we can create a different jira issue for this. Suggestions?? Thanks!
          Hide
          harshac Harsha Chadhar added a comment -

          Uploading the updated patch with the missing file. Thanks Ankit for reporting.

          Show
          harshac Harsha Chadhar added a comment - Uploading the updated patch with the missing file. Thanks Ankit for reporting.
          Hide
          sumitp Sumit Pandit added a comment -

          Hi Ankit, got your concern, Your idea seems to be functionally different from existing process(in existing system, auto-generated password is sent in mail in decrypted format) and is idea which is not related with current proposal.

          Under this implementation, implementation is done related to password email. Following changes has been done on top of existing process -
          Idea for following implementation is to ensure security of user's password over internet. And to achieve it using existing services/methods, with no functional change-
          a. Password sent in encrypted format, where in current system it is sent in decrypt. : Proposed for Security reasons.
          b. Encrypted password is secure: since it is generated using a secret key, never known to end user.
          c. Encrypted Password is not visible to user : Passed hidden.
          d. On click on the link/button, a form submitted and password and other parameters are sent as post: again security reasons.
          e. Since user has forgot the password, and also generated password is not known by him, therefore User can not enter old/current password, it is implicitly passed. : Compatibility with current process.
          f. Existing service to update password is being called, no change in functional logic.

          Now coming to your approach to not to send the password over email.... I also like the idea, and thinking of similar kind of implementation but a bit different approach.
          Since this discussion may deviate the propose of the task and it may delay delivery of remaining phases(that are also important for complete development). Lets finalize the approach on a separate jira. And implement as separate functionality.

          Jacques,
          Referring to member's comments; Including me, Leon and Ankit has tested the patch and observed it as fine and ready to deliver implementation.
          Sending password over the email, this discussion can be finalized and delivered separately and not a issue that would be blocker for the current proposal.
          I guess if there is no further objections it is ready for you to take and commit.

          Show
          sumitp Sumit Pandit added a comment - Hi Ankit, got your concern, Your idea seems to be functionally different from existing process(in existing system, auto-generated password is sent in mail in decrypted format) and is idea which is not related with current proposal. Under this implementation, implementation is done related to password email. Following changes has been done on top of existing process - Idea for following implementation is to ensure security of user's password over internet. And to achieve it using existing services/methods, with no functional change- a. Password sent in encrypted format, where in current system it is sent in decrypt. : Proposed for Security reasons. b. Encrypted password is secure: since it is generated using a secret key, never known to end user. c. Encrypted Password is not visible to user : Passed hidden. d. On click on the link/button, a form submitted and password and other parameters are sent as post: again security reasons. e. Since user has forgot the password, and also generated password is not known by him, therefore User can not enter old/current password, it is implicitly passed. : Compatibility with current process. f. Existing service to update password is being called, no change in functional logic. Now coming to your approach to not to send the password over email.... I also like the idea, and thinking of similar kind of implementation but a bit different approach. Since this discussion may deviate the propose of the task and it may delay delivery of remaining phases(that are also important for complete development). Lets finalize the approach on a separate jira. And implement as separate functionality. Jacques, Referring to member's comments; Including me, Leon and Ankit has tested the patch and observed it as fine and ready to deliver implementation. Sending password over the email, this discussion can be finalized and delivered separately and not a issue that would be blocker for the current proposal. I guess if there is no further objections it is ready for you to take and commit.
          Hide
          jacques.le.roux Jacques Le Roux added a comment -

          Hi Harsha,

          I reviewed, it sounds good to me (not tested yet, I have to set my local SMPT server). I will provide the French translation for the labels. Please put an explanation in security.properties for login.secret_key_string, like for other properties, thanks!

          Show
          jacques.le.roux Jacques Le Roux added a comment - Hi Harsha, I reviewed, it sounds good to me (not tested yet, I have to set my local SMPT server). I will provide the French translation for the labels. Please put an explanation in security.properties for login.secret_key_string, like for other properties, thanks!
          Hide
          harshac Harsha Chadhar added a comment -

          Hi Jacques,
          Thanks for the suggestion & review. Please find updated patch with explanation for login.secret_key_string.

          Show
          harshac Harsha Chadhar added a comment - Hi Jacques, Thanks for the suggestion & review. Please find updated patch with explanation for login.secret_key_string.
          Hide
          jacques.le.roux Jacques Le Roux added a comment -

          Hi Harsha,

          I just tested and got some issues. I run out of time and will retry later.

          BTW, since they are needed, why did you not include the data in your patch?

          Show
          jacques.le.roux Jacques Le Roux added a comment - Hi Harsha, I just tested and got some issues. I run out of time and will retry later. BTW, since they are needed, why did you not include the data in your patch?
          Hide
          jacques.le.roux Jacques Le Roux added a comment -

          BTW the issue I got is that the user name was empty (see attached snapshots)

          The source of the received msg:

          <!-- Begin Screen component://securityext/widget/EmailSecurityScreens.xml#PasswordEmail -->
          <!-- Begin Template component://securityext/email/default/passwordemail.ftl -->
          
          <html>
          <head>
          </head>
          <body>
            <div>Ce courriel en r&eacute;ponse &agrave; votre demande d&#39;obtenir un nouvel mot de passe qui vous a &eacute;t&eacute; envoy&eacute;.</div>
            <br />
            <div>
                    Votre nouveau mot de passe est &#58; 
                <form method="post" action="https&#58;&#47;&#47;192.168.1.8&#58;28443/partymgr/control/passwordChange" name="loginform" id="loginform" target="_blank">
                  <input type="hidden" name="USERNAME" value="jleroux2" />
                  <input type="hidden"  name="password" value="KvB86e&#47;s0Wi6iXxi5dd79i5L325HNBfK" />
                  <input type="hidden" name="forgotPwdFlag" value="true" />
                  <input type="submit" name="submit" value="Click Here To Reset Password" />
                </form>
            </div>
          </body>
          </html>
          <!-- End Template component://securityext/email/default/passwordemail.ftl -->
          <!-- End Screen component://securityext/widget/EmailSecurityScreens.xml#PasswordEmail -->
          
          Show
          jacques.le.roux Jacques Le Roux added a comment - BTW the issue I got is that the user name was empty (see attached snapshots) The source of the received msg: <!-- Begin Screen component: //securityext/widget/EmailSecurityScreens.xml#PasswordEmail --> <!-- Begin Template component: //securityext/email/ default /passwordemail.ftl --> <html> <head> </head> <body> <div>Ce courriel en r&eacute;ponse &agrave; votre demande d&#39;obtenir un nouvel mot de passe qui vous a &eacute;t&eacute; envoy&eacute;.</div> <br /> <div> Votre nouveau mot de passe est &#58; <form method= "post" action= "https&#58;&#47;&#47;192.168.1.8&#58;28443/partymgr/control/passwordChange" name= "loginform" id= "loginform" target= "_blank" > <input type= "hidden" name= "USERNAME" value= "jleroux2" /> <input type= "hidden" name= "password" value= "KvB86e&#47;s0Wi6iXxi5dd79i5L325HNBfK" /> <input type= "hidden" name= "forgotPwdFlag" value= " true " /> <input type= "submit" name= "submit" value= "Click Here To Reset Password" /> </form> </div> </body> </html> <!-- End Template component: //securityext/email/ default /passwordemail.ftl --> <!-- End Screen component: //securityext/widget/EmailSecurityScreens.xml#PasswordEmail -->
          Hide
          harshac Harsha Chadhar added a comment -

          Hi Jacques,
          I tried producing this issue but could not reproduce it, can you please help in doing so. I have hidden the current password field from the reset password screen so I believe it should not be rendered in any of the forgot password process flow. As per the implementation it should display either of the two screens (attached screenshots : WithOutSecurityQuestionSet.jpg, WithSecurityQuestionSet.jpg).
          Regarding the data, your and other members inputs will be appreciated for where to include the data.

          Show
          harshac Harsha Chadhar added a comment - Hi Jacques, I tried producing this issue but could not reproduce it, can you please help in doing so. I have hidden the current password field from the reset password screen so I believe it should not be rendered in any of the forgot password process flow. As per the implementation it should display either of the two screens (attached screenshots : WithOutSecurityQuestionSet.jpg, WithSecurityQuestionSet.jpg). Regarding the data, your and other members inputs will be appreciated for where to include the data.
          Hide
          jacques.le.roux Jacques Le Roux added a comment -

          In my TODO list...

          Show
          jacques.le.roux Jacques Le Roux added a comment - In my TODO list...
          Hide
          atulvani Atul Vani added a comment - - edited

          I thought the two patterns are entirely different:
          1. One is to prove your genuineness by confirming your access to the EMAIL ADDRESS associated with the account, by clicking a UNIQUE (containing ENCRYPTED TOKEN) link emailed to you. And then reset the password.
          2. Another method is to prove your genuineness by answering the SECURITY QUESTIONS specified at the time on account creation, and then reset the password. NO email access required.

          Here are a few examples of the first one: http://www.quora.com/UI-UX-Design-Patterns/What-are-great-examples-of-a-forgot-password-UX-UI-pattern

          Reads for the second one, which do not mention involvement of the email address and the token: http://www.goodsecurityquestions.com/

          A quote from wikipedia, which suggest that the process are mutually exclusive:

          Users establish their identity, without using their forgotten or disabled password, >>by answering a series of personal questions,<< using a hardware authentication token, >>responding to a password notification e-mail or,<< less often, by providing a biometric sample. Users can then either specify a new, unlocked password, or ask that a randomly generated one be provided.

          http://en.wikipedia.org/wiki/Self-service_password_reset

          And the reset password page of gmail:
          Password help for *********gmail.com
          Get a verification code on my phone: *************
          Confirm access to my recovery email: *********yahoo.com
          >>Can't access any of these recovery options? Verify your identity by answering multiple questions about your account.<<

          These all suggest, that when you opt for security questions, you are not supposed to prove your access to the email associated. You are just presented with the reset password page, if the answers are correct.

          Show
          atulvani Atul Vani added a comment - - edited I thought the two patterns are entirely different: 1. One is to prove your genuineness by confirming your access to the EMAIL ADDRESS associated with the account, by clicking a UNIQUE (containing ENCRYPTED TOKEN) link emailed to you. And then reset the password. 2. Another method is to prove your genuineness by answering the SECURITY QUESTIONS specified at the time on account creation, and then reset the password. NO email access required. Here are a few examples of the first one: http://www.quora.com/UI-UX-Design-Patterns/What-are-great-examples-of-a-forgot-password-UX-UI-pattern Reads for the second one, which do not mention involvement of the email address and the token: http://www.goodsecurityquestions.com/ A quote from wikipedia, which suggest that the process are mutually exclusive: Users establish their identity, without using their forgotten or disabled password, >>by answering a series of personal questions,<< using a hardware authentication token, >>responding to a password notification e-mail or,<< less often, by providing a biometric sample. Users can then either specify a new, unlocked password, or ask that a randomly generated one be provided. http://en.wikipedia.org/wiki/Self-service_password_reset And the reset password page of gmail: Password help for *********gmail.com Get a verification code on my phone: ************* Confirm access to my recovery email: *********yahoo.com >>Can't access any of these recovery options? Verify your identity by answering multiple questions about your account.<< These all suggest, that when you opt for security questions, you are not supposed to prove your access to the email associated. You are just presented with the reset password page, if the answers are correct.
          Hide
          jacques.le.roux Jacques Le Roux added a comment -

          I did not forget, but did not get a chance to get back to this yet...

          Show
          jacques.le.roux Jacques Le Roux added a comment - I did not forget, but did not get a chance to get back to this yet...
          Hide
          jacques.le.roux Jacques Le Roux added a comment -

          Sumit suggested to use enumerations for security questions and to put them in n PartyTypeData.xml. I agree using enumerations is a good idea but I believe a better place is to create a new SecurityTypeData.xml. The content would be

          <entity-engine-xml>
              <!-- OFBiz Core security -->
          
              <EnumerationType enumTypeId="SECURITY_QUESTION" description="Security Question"/>
              <EnumerationType enumTypeId="SQ_CUSTOM" parentTypeId="SECURITY_QUESTION" description="Custom Security Question"/>
              <EnumerationType enumTypeId="SQ_STANDARD" parentTypeId="SECURITY_QUESTION" description="Standard Security Question"/>
              <Enumeration enumId="SQ_STD_NCKNM" enumTypeId="SQ_STANDARD" enumCode="" sequenceId="0" description="What is your nick name"/>
              <Enumeration enumId="SQ_STD_MOTNM" enumTypeId="SQ_STANDARD" enumCode="" sequenceId="1" description="What is your mother's maiden name"/>
              <Enumeration enumId="SQ_STD_FAVTCH" enumTypeId="SQ_STANDARD" enumCode="" sequenceId="2" description="What is your favorite teacher's name"/>
              <Enumeration enumId="SQ_STD_PETNM" enumTypeId="SQ_STANDARD" enumCode="" sequenceId="2" description="What is your pet's name"/>
              <Enumeration enumId="SQ_STD_BSTFRND" enumTypeId="SQ_STANDARD" enumCode="" sequenceId="3" description="Who is your best childhood friend"/>
          </entity-engine-xml>
          
          
          Show
          jacques.le.roux Jacques Le Roux added a comment - Sumit suggested to use enumerations for security questions and to put them in n PartyTypeData.xml. I agree using enumerations is a good idea but I believe a better place is to create a new SecurityTypeData.xml. The content would be <entity-engine-xml> <!-- OFBiz Core security --> <EnumerationType enumTypeId= "SECURITY_QUESTION" description= "Security Question" /> <EnumerationType enumTypeId= "SQ_CUSTOM" parentTypeId= "SECURITY_QUESTION" description= "Custom Security Question" /> <EnumerationType enumTypeId= "SQ_STANDARD" parentTypeId= "SECURITY_QUESTION" description= "Standard Security Question" /> <Enumeration enumId= "SQ_STD_NCKNM" enumTypeId= "SQ_STANDARD" enumCode= "" sequenceId=" 0 " description=" What is your nick name"/> <Enumeration enumId= "SQ_STD_MOTNM" enumTypeId= "SQ_STANDARD" enumCode= "" sequenceId=" 1 " description=" What is your mother's maiden name"/> <Enumeration enumId= "SQ_STD_FAVTCH" enumTypeId= "SQ_STANDARD" enumCode= "" sequenceId=" 2 " description=" What is your favorite teacher's name"/> <Enumeration enumId= "SQ_STD_PETNM" enumTypeId= "SQ_STANDARD" enumCode= "" sequenceId=" 2 " description=" What is your pet's name"/> <Enumeration enumId= "SQ_STD_BSTFRND" enumTypeId= "SQ_STANDARD" enumCode= "" sequenceId=" 3 " description=" Who is your best childhood friend"/> </entity-engine-xml>
          Hide
          jacques.le.roux Jacques Le Roux added a comment -

          An updated patch with a SecurityTypeData.xml file added

          Show
          jacques.le.roux Jacques Le Roux added a comment - An updated patch with a SecurityTypeData.xml file added
          Hide
          jacques.le.roux Jacques Le Roux added a comment - - edited

          Here is another update of the patch. No functional changes are:

          • Adds and changes some French labels
          • passwordemail.ftl: removed confusing message saying "here is your password" above the button
          • changePassword.ftl: remove deprecated and useless <center> tag

          I have a problem with my email client (Outlook Express 6 on XP) which only shows the button for a few milliseconds. Using my webmail it works correctly. Then when I get to the change pwd page I always get this error:

               [java] 2013-09-29 12:15:24,140 (http-bio-0.0.0.0-8443-exec-79) [  ServiceDispatcher.java:904:INFO ] Service auth failed for userLoginId [ttttt] because UserLogin record currentPassword fields did not mat
          ch; note that the UserLogin object passed into a service may need to have the currentPassword encrypted.
          
               [java] 2013-09-29 13:22:41,234 (http-bio-0.0.0.0-8443-exec-96) [  ServiceDispatcher.java:904:INFO ] Service auth failed for userLoginId [ttttt] because UserLogin record currentPassword fields did not mat
          ch; note that the UserLogin object passed into a service may need to have the currentPassword encrypted.
          
               [java] 2013-09-29 14:19:36,015 (http-bio-0.0.0.0-8443-exec-154) [  ServiceDispatcher.java:904:INFO ] Service auth failed for userLoginId [ttttt] because UserLogin record currentPassword fields did not ma
          tch; note that the UserLogin object passed into a service may need to have the currentPassword encrypted.
          
          The field values is 
          
          When viewed with FF source option: <input type="hidden" name="PASSWORD" value="pHqrWXuXvGnwlDsev&#43;5fG8dDqRcSFOVRxyU67r2HXaA&#61;" size="20"/>
          
          When looking at DOM with FF tools: <input type="hidden" size="20" value="pHqrWXuXvGnwlDsev+5fG8dDqRcSFOVRxyU67r2HXaA=" name="PASSWORD"></input>
          
          In UserLogin entity I read:
          currentPassword: $SHA$L80GFz1xAM$vOuWcT18fU4f9skDKqhvjYQllPQ
          

          In other words, all works well, but when I want to change the pwd and login. I don't understand why it worked for others .

          Show
          jacques.le.roux Jacques Le Roux added a comment - - edited Here is another update of the patch. No functional changes are: Adds and changes some French labels passwordemail.ftl: removed confusing message saying "here is your password" above the button changePassword.ftl: remove deprecated and useless <center> tag I have a problem with my email client (Outlook Express 6 on XP) which only shows the button for a few milliseconds. Using my webmail it works correctly. Then when I get to the change pwd page I always get this error: [java] 2013-09-29 12:15:24,140 (http-bio-0.0.0.0-8443-exec-79) [ ServiceDispatcher.java:904:INFO ] Service auth failed for userLoginId [ttttt] because UserLogin record currentPassword fields did not mat ch; note that the UserLogin object passed into a service may need to have the currentPassword encrypted. [java] 2013-09-29 13:22:41,234 (http-bio-0.0.0.0-8443-exec-96) [ ServiceDispatcher.java:904:INFO ] Service auth failed for userLoginId [ttttt] because UserLogin record currentPassword fields did not mat ch; note that the UserLogin object passed into a service may need to have the currentPassword encrypted. [java] 2013-09-29 14:19:36,015 (http-bio-0.0.0.0-8443-exec-154) [ ServiceDispatcher.java:904:INFO ] Service auth failed for userLoginId [ttttt] because UserLogin record currentPassword fields did not ma tch; note that the UserLogin object passed into a service may need to have the currentPassword encrypted. The field values is When viewed with FF source option: <input type= "hidden" name= "PASSWORD" value= "pHqrWXuXvGnwlDsev&#43;5fG8dDqRcSFOVRxyU67r2HXaA&#61;" size= "20" /> When looking at DOM with FF tools: <input type= "hidden" size= "20" value= "pHqrWXuXvGnwlDsev+5fG8dDqRcSFOVRxyU67r2HXaA=" name= "PASSWORD" ></input> In UserLogin entity I read: currentPassword: $SHA$L80GFz1xAM$vOuWcT18fU4f9skDKqhvjYQllPQ In other words, all works well, but when I want to change the pwd and login. I don't understand why it worked for others .
          Hide
          jacques.le.roux Jacques Le Roux added a comment -

          Something I forgot, I agree with Ankit and Leon about an url instead of the button in the email.

          Ankit: Instead of giving button there should be a reset password link in the mail, which is generally followed everywhere.
          Leon: One suggestion: it's better use link instead of button in email body. Sometimes I can copy the link out to another browser

          My experience with OE on XP proves that there are email clients where a form can be an issue (not visible). Maybe changing email header parameters would help, but as said Leon, an url can be easily C/P by an user, not a form. I don't see any issues with showing the pwd in the url, since anyway it's one way encrypted and only understandable by the system (OFBiz).

          Show
          jacques.le.roux Jacques Le Roux added a comment - Something I forgot, I agree with Ankit and Leon about an url instead of the button in the email. Ankit: Instead of giving button there should be a reset password link in the mail, which is generally followed everywhere. Leon: One suggestion: it's better use link instead of button in email body. Sometimes I can copy the link out to another browser My experience with OE on XP proves that there are email clients where a form can be an issue (not visible). Maybe changing email header parameters would help, but as said Leon, an url can be easily C/P by an user, not a form. I don't see any issues with showing the pwd in the url, since anyway it's one way encrypted and only understandable by the system (OFBiz).
          Hide
          jacques.le.roux Jacques Le Roux added a comment -

          Also Atul's comment is interesting and is worth to be considered in another Jira...

          Show
          jacques.le.roux Jacques Le Roux added a comment - Also Atul's comment is interesting and is worth to be considered in another Jira...
          Hide
          adrianc@hlmksw.com Adrian Crum added a comment -

          Jacques - I think the security questions should be demo data, and not seed data.

          Show
          adrianc@hlmksw.com Adrian Crum added a comment - Jacques - I think the security questions should be demo data, and not seed data.
          Hide
          jacques.le.roux Jacques Le Roux added a comment -

          Adrian, yes I see nothing against that, others opinions?

          Show
          jacques.le.roux Jacques Le Roux added a comment - Adrian, yes I see nothing against that, others opinions?
          Hide
          jacques.le.roux Jacques Le Roux added a comment -

          BTW, just stumbled upon that, I believe we should move SecurityUiLabels.xml and SecurityextUiLabels.xml from common to security

          Show
          jacques.le.roux Jacques Le Roux added a comment - BTW, just stumbled upon that, I believe we should move SecurityUiLabels.xml and SecurityextUiLabels.xml from common to security
          Hide
          jacques.le.roux Jacques Le Roux added a comment -

          Following Adrian's suggestion, here is an updated patch with SecurityTypeData.xml renamed SecurityTypeDemoData.xml and loaded as demo data.

          Show
          jacques.le.roux Jacques Le Roux added a comment - Following Adrian's suggestion, here is an updated patch with SecurityTypeData.xml renamed SecurityTypeDemoData.xml and loaded as demo data.
          Hide
          jacques.le.roux Jacques Le Roux added a comment -

          What is the status here, someone looked at it since?

          BTW I stumbled upon this page from owasp https://www.owasp.org/index.php/Authentication_Cheat_Sheet

          Show
          jacques.le.roux Jacques Le Roux added a comment - What is the status here, someone looked at it since? BTW I stumbled upon this page from owasp https://www.owasp.org/index.php/Authentication_Cheat_Sheet
          Hide
          jacques.le.roux Jacques Le Roux added a comment -

          Updates patch for a multitenant changes in password.ftl

          Show
          jacques.le.roux Jacques Le Roux added a comment - Updates patch for a multitenant changes in password.ftl
          Hide
          jacques.le.roux Jacques Le Roux added a comment -

          I think I will again have a look at that soon...

          Show
          jacques.le.roux Jacques Le Roux added a comment - I think I will again have a look at that soon...
          Hide
          jacques.le.roux Jacques Le Roux added a comment - - edited

          Implemented at revision: 1716915 .

          Apart updating the patch which did not merge, I got 2 majors issues (and few others I will not report here) I bypassed with workarounds.

          Unlike Harsha, and as I reported earlier in a comment, I never got the username (userLoginId) back when using hidden parameters in the request body (not in requestParameters, ie UtilHttp.getParameterMap(request)), nor actually any parameters. This is maybe due to my OS (Windows7 was XP before) or my email client (Outlook Express then, now Thunderbird) or even my SMTP configuration (I used my ISP SMTP server) but most probably because I did it all on my sole machine (localhost). I tried to understand what was happening to request body parameters with http://www.telerik.com/fiddler, but I finally gave up because it's even more complicated when https is in the picture. So I decided to rather use parameters in the URL (Query string). It's a bit less safe, though the password is OFBiz encrypted, and should be replaced. But it's safe enough because only the user should receive this message and even if the message is sniffed during its journey it should be hard to decrypt the password!

          Harsha used the SecurityExtUiLabels.xml (created by ashish at r1618415) in securityext component but there is already a SecurityextUiLabels.xml in common component. Since I use Windows OFBiz was unable to retrieve the labels from SecurityExtUiLabels.xml since I guess it looked into a SecurityextUiLabels.xml. So I renamed a SecurityExtUiLabels.xml to EmailPassword.xml.

          Show
          jacques.le.roux Jacques Le Roux added a comment - - edited Implemented at revision: 1716915 . Apart updating the patch which did not merge, I got 2 majors issues (and few others I will not report here) I bypassed with workarounds. Unlike Harsha, and as I reported earlier in a comment, I never got the username (userLoginId) back when using hidden parameters in the request body (not in requestParameters, ie UtilHttp.getParameterMap(request)), nor actually any parameters. This is maybe due to my OS (Windows7 was XP before) or my email client (Outlook Express then, now Thunderbird) or even my SMTP configuration (I used my ISP SMTP server) but most probably because I did it all on my sole machine (localhost). I tried to understand what was happening to request body parameters with http://www.telerik.com/fiddler , but I finally gave up because it's even more complicated when https is in the picture. So I decided to rather use parameters in the URL (Query string). It's a bit less safe, though the password is OFBiz encrypted, and should be replaced. But it's safe enough because only the user should receive this message and even if the message is sniffed during its journey it should be hard to decrypt the password! Harsha used the SecurityExtUiLabels.xml (created by ashish at r1618415) in securityext component but there is already a SecurityextUiLabels.xml in common component. Since I use Windows OFBiz was unable to retrieve the labels from SecurityExtUiLabels.xml since I guess it looked into a SecurityextUiLabels.xml. So I renamed a SecurityExtUiLabels.xml to EmailPassword.xml.

            People

            • Assignee:
              jacques.le.roux Jacques Le Roux
              Reporter:
              harshac Harsha Chadhar
            • Votes:
              4 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development

                  Agile