Error deleting user

[james.cassady]

I configured my jasper reports server to use stronger passwords.

I restarted Jasper then created new users ensuring the passwords for those users met the new requirements.

Then I go to delete one of the users, as a result I get an error saying Weak Password, with a huge value that looks like an encrypted version of said password and then my regex for the allowed passwords.

How do I go about fixing this?

 

[ogavavka]

Hi

Please supply additional info:
Apllication server
JRS Version
your regex

<<<<<< This comment was blocked and unpublished because Project Honeypot indicates it came from a suspicious IP address.

[elizam]

what version are you using and exactly which file(s) did you edit?

[james.cassady]

Version: Community Edition 5.5

 

File Edits:

WEB-INFapplicationContext.xml

allowedPasswordPattern

 

jsexeptions_messages.properties

exception.remote.weak.password

 

WEB-INFjasperserver-servlet.xml

allowUserPasswordChange

 

WEB-INFapplicationContext-security-web.xml

passwordExpirationInDays

 

 

 

 

 

[dlitvak]

Could you please post a stack trace?  Some config excerpts could be helpful too.

[james.cassady]

For some reason when I try to post any code and an image it doesn't upload.  Let me try for a fouth time.

 

ApplicationContext.xml

    <bean id="userAuthorityService"        class="com.jaspersoft.jasperserver.api.metadata.user.service.impl.UserAuthorityServiceImpl">        <property name="sessionFactory" ref="sessionFactory"/>        <property name="objectMappingFactory" ref="mappingResourceFactory"/>        <property name="persistentClassFactory" ref="persistentMappings"/>        <property name="profileAttributeService" ref="profileAttributeService"/>        <property name="defaultInternalRoles">          <list>            <value>ROLE_USER</value>          </list>        </property>        <property name="tenantPersistenceResolver"><ref bean="${bean.hibernateTenantService}"/></property>        <property name="auditContext" ref="${bean.auditContext}"/>        <property name="databaseCharactersEscapeResolver" ref="databaseCharactersEscapeResolver"/>        <property name="usernameCaseSensitive" value="false"/>        <!-- Allows to change regular expression, which validates password complexity.             You should also change "exception.remote.weak.password" message in             jsexeptions_messages.properties file according to your password policy-->        <property name="allowedPasswordPattern" value="^.*(?=^.{8,}$)((?=.*d)|(?=.*W+))(?![.n])(?=.*[A-Z])(?=.*[a-z]).*$"></property>    </bean>[/code]

jasperserver-servlet.xml

    <!-- js common controller -->    <bean id="jsCommContr" class="com.jaspersoft.jasperserver.war.control.JSCommonController">        <property name="methodNameResolver" ref="paramResolver"/>        <property name="repository">            <ref bean="${bean.repositoryService}"/>        </property>        <property name="userAuthService">            <ref bean="${bean.internalUserAuthorityService}"/>        </property>        <property name="objPermService" ref="objectPermissionService"/>        <property name="timezones">            <ref bean="userTimeZonesList"/>        </property>        <property name="locales">            <ref bean="userLocalesList"/>        </property>        <property name="allowUserPasswordChange" value="true" />        <!-- note: if passwordExpirationInDays is positive, it will overwrite the above allowUserPasswordChange and the password changing UI will be displayed -->        <property name="passwordExpirationInDays" value="90" />        <!-- Turn off/on login form auto completion.                true  = user can use saved data for the login form                false = user cannot use saved login form data; user must type it in -->        <property name="autoCompleteLoginForm" value="false" />        <property name="heartbeat">            <ref bean="concreteHeartbeatBean"/>        </property>    </bean>[/code]

 

Once those changes were made, I restarted the server.  Once back up, create a new user using required password, then attempt to delete the same new user.

As you can see in the attached message, the "WeakPassword" in the message is not what I used as a password, the password I used for the new user that fit the requirements was P@ssW0rd

[dlitvak]

Try with a simpler regex first to see if it works. ^d{5,}$ for example.

Most likely it won't, but still.

 

Have you enable some js password encryption?

encryption.on=true in security-config.properties?

 

[dlitvak]

Sounds like a bug, logging it.

[james.cassady]

I attempted to use ^d{5,}$ as well, but when attempting to delete it still says Weak Password.

[james.cassady]

Also my value in security-config.properties is:

# Turns encryption of encryption.param's defined below on or off.

encryption.on=false

[dlitvak]

James,

It's a definite bug which was introduced in 5.1.  I opened an issue and linked it to the original bug, which I re-opened.

So far, the engineer works to make it fixed in 5.6.

Sorry for any inconvenience.

Dmitriy

[dlitvak]

sorry, d{5,} should not work as the encrypted passwords are hex. It's a bug anyways.

[gsteiner]

Dlitvak, do you know for sure if this was fixed in 5.6 or not? I'd like to know prior to upgrading. Thanks!

[dlitvak]

It is fixed in 5.6 according to defect 35935 records that I filed.