pwm
pwm copied to clipboard
pwm-project
PWM 5015 - "forgotten password" is unable to parse valid magic `000001010000Z` of pwdAccountLockedTime
If we configure the "forgotten password" module to be able to also unlock locked account, then it only works for normally locked accounts due to repeated password failures.
Administratively locked accounts having 000001010000Z in the pwdAccountLockedTime will cause internal error exception (parse issue) in PWM.
While it shouldn't be possible for a user to unlock such account by himself, it would be better if it informed the user correctly about it.
The issue exists in at least the latest snapshot and in 1.9.1.
2020-11-25T16:39:32Z, TRACE, http.PwmRequest, {jpFo8} GET request for: /pwm/public/forgottenpassword [172.17.0.1]
pwmFormID='H4sIAAAAAAAAAAGaAGX_UFdNLkdDTTEQmgBQp1ov-pZXvMkeo3caXoYm4wUTNXqn6kcq9MxjBbPgHNfPnqif2JhJWPr9__f7_swDlDXRqQMt7dccyCRG31R0pm_F0t8xrtXn1ZmbxyrOkc58zUDVKUmhK-BbCdqNy8QTyzTsqVJG9C1biXhOZjb6FjcEswnZ6xEH9j35mc33qwMf0Fz9T0C0YQPLXEgDDrr8TFeaAAAA'
2020-11-25T16:39:32Z, TRACE, forgottenpw.ForgottenPasswordServlet, {jpFo8} entering forgotten password progress engine: flags={"a":true,"r":[],"o":["TOKEN","OTP"],"m":1}, progress={"s":true,"p":false,"m":["TOKEN"],"d":{"id":"C265F684E5E8603EB848456456F3ADEEB15FA2C57273D4E941F3137C1084BD0E922F765691CB3038730F01D7213B6A417D7AC2805D6B0E424BCCC3CCBC2FFF0F","display":"+*******4423","value":"+48601634423","type":"sms"},"i":"TOKEN"} [172.17.0.1]
2020-11-25T16:39:32Z, ERROR, servlet.AbstractPwmServlet, {jpFo8} unexpected error processing request: java.lang.IllegalArgumentException: unable to parse zulu time-string: Text '000001010000Z' could not be parsed at index 12 [7529F067A0E2586CDF8E7C459211B9A11E01792A] [172.17.0.1] (stacktrace follows)
java.lang.IllegalArgumentException: unable to parse zulu time-string: Text '000001010000Z' could not be parsed at index 12
at com.novell.ldapchai.impl.edir.entry.EdirEntries.convertZuluToInstant(EdirEntries.java:120)
at com.novell.ldapchai.impl.openldap.entry.OpenLDAPEntries.convertZuluToDate(OpenLDAPEntries.java:40)
at com.novell.ldapchai.impl.openldap.entry.OpenLDAPVendorFactory.stringToInstant(OpenLDAPVendorFactory.java:101)
at com.novell.ldapchai.impl.AbstractChaiEntry.readDateAttribute(AbstractChaiEntry.java:497)
at com.novell.ldapchai.impl.openldap.entry.OpenLDAPUser.isPasswordLocked(OpenLDAPUser.java:149)
at password.pwm.ldap.UserInfoReader.isPasswordLocked(UserInfoReader.java:398)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at password.pwm.util.java.CachingProxyWrapper$ProxyInstance.invoke(CachingProxyWrapper.java:84)
at com.sun.proxy.$Proxy13.isPasswordLocked(Unknown Source)
at password.pwm.http.servlet.forgottenpw.ForgottenPasswordServlet.nextStep(ForgottenPasswordServlet.java:1115)
at password.pwm.http.servlet.ControlledPwmServlet.processAction(ControlledPwmServlet.java:191)
at password.pwm.http.servlet.AbstractPwmServlet.handleRequest(AbstractPwmServlet.java:125)
at password.pwm.http.servlet.AbstractPwmServlet.doGet(AbstractPwmServlet.java:65)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:626)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at password.pwm.http.filter.AbstractPwmFilter$PwmFilterChain.doFilter(AbstractPwmFilter.java:153)
at password.pwm.http.filter.SessionFilter.processFilter(SessionFilter.java:111)
at password.pwm.http.filter.AbstractPwmFilter.doFilter(AbstractPwmFilter.java:97)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at password.pwm.http.filter.AbstractPwmFilter$PwmFilterChain.doFilter(AbstractPwmFilter.java:153)
at password.pwm.http.filter.ApplicationModeFilter.processFilter(ApplicationModeFilter.java:82)
at password.pwm.http.filter.AbstractPwmFilter.doFilter(AbstractPwmFilter.java:97)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at password.pwm.http.filter.AbstractPwmFilter$PwmFilterChain.doFilter(AbstractPwmFilter.java:153)
at password.pwm.http.filter.ObsoleteUrlFilter.processFilter(ObsoleteUrlFilter.java:65)
at password.pwm.http.filter.AbstractPwmFilter.doFilter(AbstractPwmFilter.java:97)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at password.pwm.http.filter.RequestInitializationFilter.initializeServletRequest(RequestInitializationFilter.java:245)
at password.pwm.http.filter.RequestInitializationFilter.doFilter(RequestInitializationFilter.java:167)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at com.github.ziplet.filter.compression.CompressingFilter.doFilter(CompressingFilter.java:263)
at password.pwm.http.filter.GZIPFilter.doFilter(GZIPFilter.java:81)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at password.pwm.http.filter.CookieManagementFilter.doFilter(CookieManagementFilter.java:77)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:374)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1590)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
java.lang.IllegalArgumentException: unable to parse zulu time-string: Text '000001010000Z' could not be parsed at index 12
at com.novell.ldapchai.impl.edir.entry.EdirEntries.convertZuluToInstant(EdirEntries.java:120)
at com.novell.ldapchai.impl.openldap.entry.OpenLDAPEntries.convertZuluToDate(OpenLDAPEntries.java:40)
at com.novell.ldapchai.impl.openldap.entry.OpenLDAPVendorFactory.stringToInstant(OpenLDAPVendorFactory.java:101)
at com.novell.ldapchai.impl.AbstractChaiEntry.readDateAttribute(AbstractChaiEntry.java:497)
at com.novell.ldapchai.impl.openldap.entry.OpenLDAPUser.isPasswordLocked(OpenLDAPUser.java:149)
at password.pwm.ldap.UserInfoReader.isPasswordLocked(UserInfoReader.java:398)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at password.pwm.util.java.CachingProxyWrapper$ProxyInstance.invoke(CachingProxyWrapper.java:84)
at com.sun.proxy.$Proxy13.isPasswordLocked(Unknown Source)
at password.pwm.http.servlet.forgottenpw.ForgottenPasswordServlet.nextStep(ForgottenPasswordServlet.java:1115)
at password.pwm.http.servlet.ControlledPwmServlet.processAction(ControlledPwmServlet.java:191)
at password.pwm.http.servlet.AbstractPwmServlet.handleRequest(AbstractPwmServlet.java:125)
at password.pwm.http.servlet.AbstractPwmServlet.doGet(AbstractPwmServlet.java:65)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:626)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at password.pwm.http.filter.AbstractPwmFilter$PwmFilterChain.doFilter(AbstractPwmFilter.java:153)
at password.pwm.http.filter.SessionFilter.processFilter(SessionFilter.java:111)
at password.pwm.http.filter.AbstractPwmFilter.doFilter(AbstractPwmFilter.java:97)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at password.pwm.http.filter.AbstractPwmFilter$PwmFilterChain.doFilter(AbstractPwmFilter.java:153)
at password.pwm.http.filter.ApplicationModeFilter.processFilter(ApplicationModeFilter.java:82)
at password.pwm.http.filter.AbstractPwmFilter.doFilter(AbstractPwmFilter.java:97)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at password.pwm.http.filter.AbstractPwmFilter$PwmFilterChain.doFilter(AbstractPwmFilter.java:153)
at password.pwm.http.filter.ObsoleteUrlFilter.processFilter(ObsoleteUrlFilter.java:65)
at password.pwm.http.filter.AbstractPwmFilter.doFilter(AbstractPwmFilter.java:97)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at password.pwm.http.filter.RequestInitializationFilter.initializeServletRequest(RequestInitializationFilter.java:245)
at password.pwm.http.filter.RequestInitializationFilter.doFilter(RequestInitializationFilter.java:167)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at com.github.ziplet.filter.compression.CompressingFilter.doFilter(CompressingFilter.java:263)
at password.pwm.http.filter.GZIPFilter.doFilter(GZIPFilter.java:81)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at password.pwm.http.filter.CookieManagementFilter.doFilter(CookieManagementFilter.java:77)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:374)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1590)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
2020-11-25T16:39:32Z, FATAL, servlet.AbstractPwmServlet, {jpFo8} unexpected error: 5015 ERROR_INTERNAL (unexpected error processing request: java.lang.IllegalArgumentException: unable to parse zulu time-string: Text '000001010000Z' could not be parsed at index 12 [7529F067A0E2586CDF8E7C459211B9A11E01792A]) [172.17.0.1]
2020-11-25T16:39:32Z, ERROR, http.PwmResponse, {jpFo8} 5015 ERROR_INTERNAL (unexpected error processing request: java.lang.IllegalArgumentException: unable to parse zulu time-string: Text '000001010000Z' could not be parsed at index 12 [7529F067A0E2586CDF8E7C459211B9A11E01792A]) [172.17.0.1]
2020-11-25T16:39:32Z, DEBUG, http.PwmResponse, {jpFo8} forcing logout due to error 5015 ERROR_INTERNAL (unexpected error processing request: java.lang.IllegalArgumentException: unable to parse zulu time-string: Text '000001010000Z' could not be parsed at index 12 [7529F067A0E2586CDF8E7C459211B9A11E01792A]) [172.17.0.1]
2020-11-25T16:39:32Z, TRACE, http.SessionManager, {jpFo8} incremented request counter to 1 [172.17.0.1]
Judging by stacktrace, this is due to using OpenLDAP, which doesn't have a proper timestamp reader (it's using the one from eDir LDAP Chai Impl). This needs an LDAP Chai Impl to be fixed.
We are using pwm-onejar-2.1.0-SNAPSHOT integrated with OpenLDAP. The same issue is experienced after verifying any LDAP username in the forgotten password module.
We noticed setting the Last Password Update Attribute in the PWM configuration to an LDAP attribute where the value can be set manually, displays the full error.
LDAP attribute was set to ==> 2022-07-04T21:33:26Z
` 2022-07-04T22:08:48Z, ERROR, http.PwmResponse, {fQqQL,default} 5015 ERROR_INTERNAL (unexpected error processing request: java.lang.IllegalArgumentException: unable to parse zulu time-string: Text 'Sun Mar 06 11:28:16 IST 2011' could not be parsed at index 0 [AF129C3DE059DE6AB7A70437AB1C45C88F11F370]) [192.168.xx.xx] ^[[B2022-07-04T22:15:00Z, ERROR, servlet.AbstractPwmServlet, {IQqsz,default} unexpected error processing request: java.lang.IllegalArgumentException: unable to parse zulu time-string: Text '2011-04-15T20:08:18Z' could not be parsed at index 4 [F2A0B32E0CD3D90604C2E9EBDDC6E8039220A152] [192.168.xx.xx] (stacktrace follows) java.lang.IllegalArgumentException: unable to parse zulu time-string: Text '2011-04-15T20:08:18Z' could not be parsed at index 4 at com.novell.ldapchai.impl.edir.entry.EdirEntries.convertZuluToInstant(EdirEntries.java:120) at com.novell.ldapchai.impl.openldap.entry.OpenLDAPEntries.convertZuluToDate(OpenLDAPEntries.java:40) at com.novell.ldapchai.impl.openldap.entry.OpenLDAPVendorFactory.stringToInstant(OpenLDAPVendorFactory.java:101) at com.novell.ldapchai.impl.AbstractChaiEntry.readDateAttribute(AbstractChaiEntry.java:497) at password.pwm.util.password.PasswordUtility.determinePwdLastModified(PasswordUtility.java:1308)
`
We have tried different LDAP values and all display the same error above. We are not sure what format or timestamp PWM is expecting.
Is anyone else experiencing this issue and how can it be bypassed to allow forgotten passwords to be reset via email with or without the email token.
