OraTransplant

Reset SSO password and send by email

13 July 2005 at 10:13 CEST | In AppServer, Features and tips, JDeveloper, Oracle |

We’re finishing up deploying Oracle Single Sign On. Our version of SSO (v9.0.4.1.0) comes with default pages to let a user reset his password when he forgot about it. These pages ask the user for a “secret question”. The user is allowed to change his password if he gives the correct answer to this question.

I want a page which will just generate a new random password for a user and sends it by email to the registered address. Because of our SSO policies, the user has to change this password again on the first login. Secure enough for me.

The documentation states that Oracle does not feel it is secure to send a new password by email and that’s why the chose for the option with the secret question. In my opinion having a week secret question is even more risky then sending a password by email. Who doesn’t remember the hack on Paris Hilton’s T-Mobile account? Besides that, it is quite a hassle to have all your users set up a secret question in the first place. We converted some 2000 users from other systems to SSO and how do I get them to setup a secret question?

I also asked Oracle support and there is no default option in Oracle Application Server to implement a reset-and-email-password page. Searching a bit more on the OTN forums resulted in a bit of code that inspired me to writing the page myself.

I changed the code from OTN to ask for a username and email address. It first validates if that combination exists in the Oracle Internet Directory. If so, the password is changed to a random generated password and this new password is sent by email to the user.

If you look at the code, you see I also used Context to look up environment settings. This is because I do not know the password of orcladmin for the production OID. Besides that, I do not want to hard code any username/password in this JSP. That’s why I’m using environment settings. You set these in the web.xml and the administrator of the application server can change these values after deployment. That makes it possible to use the same EAR file on both development, testing and production application servers with just different configurations.

The JSP is below. You would probably have to add things for a nicer form, error handling, etc. The code here is just and example and should be enough to get you started.

< %@ page contentType="text/html;charset=windows-1252"%>
< %@ page import="java.util.*,java.io.*, javax.naming.*,
                  javax.naming.directory.*"%>

< %
  // **********************************************************
  // forums.oracle.com/forums/thread.jsp?forum=47&thread=293082
  // for the original code
  // **********************************************************

  String username = new String();
  String email    = new String();

  // only process if the form is submitted
  if (request.getParameter("username") != null &&
      request.getParameter("email") != null) {
    // get settings from environment
    Context initial = new InitialContext();
    Context env = (Context) initial.lookup("java:comp/env");

    String searchBase  = (String) env.lookup("oidSearchBase");
    String oidAdminDN  = (String) env.lookup("oidAdminDN");
    String oidAdminPwd = (String) env.lookup("oidAdminPwd");
    String ldapServer  = (String) env.lookup("LDAPServer");
    String ldapPort    = (String) env.lookup("LDAPPort");
    String smtpHost    = (String) env.lookup("smtpHost");
    String smtpSender  = (String) env.lookup("smtpSender");
    String smtpSubject = (String) env.lookup("smtpSubject");
    String smtpContent = (String) env.lookup("smtpContent");

    // get parameters from HTTP request
    username=request.getParameter("username");
    email   =request.getParameter("email");
    String userDN = "cn=" + username + ", " + searchBase;

    // generate new random password
    StringBuffer newPassword= new StringBuffer("");
    Random rnd = new Random();
    final String alphabet =
                 "0123456789abcdefghijklmnopqrstuvwxyz";
    for (int i=0; i<10; i++) {
      newPassword.append(alphabet.charAt(
        rnd.nextInt(alphabet.length())));
    }
    // add two digits to be sure to pass password policy
    newPassword.append(alphabet.charAt(rnd.nextInt(10)));
    newPassword.append(alphabet.charAt(rnd.nextInt(10)));

    // setup OID connection
    DirContext ctx = null;
    Properties env = new Properties();
    env.put(Context.INITIAL_CONTEXT_FACTORY,
            "com.sun.jndi.ldap.LdapCtxFactory");
    env.put(Context.PROVIDER_URL,
            "ldap://" + ldapServer + ":" + ldapPort + "/");
    env.put(Context.SECURITY_PRINCIPAL, oidAdminDN);
    env.put(Context.SECURITY_CREDENTIALS, oidAdminPwd);
    try {
      ctx = new InitialDirContext(env);
    }
    catch (NamingException e) {
      response.sendError(500, "LDAP logon error");
    }

    // retrieve email address of user
    String ldapEmail = null;
    try {
      BasicAttributes currentAttr =
        (BasicAttributes) ctx.getAttributes(userDN);
      ldapEmail = (String) currentAttr.get("mail").get();
    }
    catch (NamingException e) {
      // user not found in OID
      response.sendError(500, "User not found");
    }

    if (email!=null && email.equalsIgnoreCase(ldapEmail)) {
      // email addresses match, reset password
      BasicAttributes newAttr = new BasicAttributes();
      // newAttr.put("userpassword", newPassword.toString());
      try {
        ctx.modifyAttributes(userDN,
          DirContext.REPLACE_ATTRIBUTE, newAttr);
        // send email to the user
        sendMail.setHost(smtpHost);
        sendMail.setSender(smtpSender);
        sendMail.setRecipient(ldapEmail);
        sendMail.setSubject(smtpSubject);
        sendMail.setContent(smtpContent.replaceAll("%password%"
          , newPassword.toString()).replaceAll("\\\\n","\n"));
        sendMail.sendMessage(pageContext);
      }
      catch (NamingException e) {
        response.sendError(500, "Error changing password");
      }
    } else {
      // supplied email address does not match the one in OID
      response.sendError(500, "User not found");
    }

  }
%>

  

  
  
Forgot Password



Username

3 Comments

TrackBack URI

See http://www.it-eye.nl/weblog/2005/07/12/using-environment-vars-in-java-applications/ for more information on the usage of environment variables.

Comment by Wilfred — 13 July 2005 #
I have a dout regarding the password change of mail address ,i have a mail address of my friend ,but i don,t know the password of the guy,but i give the forget password option,it is possibly to change the password the friend,the what security is for the mail address

streak.edwin@yahoo.com

Comment by streak — 26 September 2007 #
Hi,

I tried the code which is given below for checking the mail and the user name entered by the user matches the value in OID. But it giving me page not found error.

I have a reset password code for the same that one is working fine with the username provided, but what I need is check the user name across the mail id provided before changing the password

my code is given below. please have a look and reply to me on my mail id niranjamal@yahoo.com

PLAIN TEXT

CODE:

<%
String username= request.getParameter("username");
String email= request.getParameter("email");
String lang= request.getParameter("lang");
String error="n";
Random newRandom = new Random();
int rand=newRandom.nextInt();
while(rand <100000)
rand=newRandom.nextInt();

//--------------- new code for checking the email --------------------------

String userDN = "dn: cn=" + username + ",cn=Users,dc=amaf,dc=ae";

// setup OID connection

DirContext ctx = null;
Properties env = new Properties();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://bkd-tstoas-01.amaf.ae:389/");
env.put(Context.SECURITY_PRINCIPAL, "cn=orcladmin");
env.put(Context.SECURITY_CREDENTIALS, "oracle123");
try {
ctx = new InitialDirContext(env);
}
catch (NamingException e) {
out.print("error 1: " + e.getMessage());
//response.sendError(500, "LDAP logon error");
}

// retrieve email address of user
String ldapEmail = null;
try {
BasicAttributes currentAttr =
(BasicAttributes) ctx.getAttributes(userDN);
ldapEmail = (String) currentAttr.get("mail").get();
}
catch (NamingException e) {
// user not found in OID
out.print("error 2: " + e.getMessage());
response.sendError(500, "User not found");
}

if (email!=null && email.equalsIgnoreCase(ldapEmail)) {

//------------------ ends here ---------------------------------------------

try{
FileWriter f = new FileWriter("D:/OracleAS/ldap/changePassword.ldif");
PrintWriter outfile = new PrintWriter(f);
//writing text on the file
outfile.println("dn: cn="+username+",cn=Users,dc=amaf,dc=ae");
outfile.println("changetype:modify");
outfile.println("replace:userpassword");
outfile.println("userpassword:"+rand);
// 3. closing the output channel and the file
outfile.flush();
outfile.close();
f.flush();
f.close();
}
catch(Exception e)
{
out.print(e);
}
Runtime runtime = Runtime.getRuntime();

try{
Process process = Runtime.getRuntime().exec("cmd /C D:/OracleAS/ldap/changePassword.bat");
InputStream pStdOut = process.getErrorStream();
BufferedReader reader = new BufferedReader(new InputStreamReader(pStdOut));
String line;
while ((line = reader.readLine()) != null) {

error="y";
break;
}
reader.close();
}
catch(Exception e)
{
out.print(e);
}
}//end for email checking if.
else{ error="y"; }

if (error.equals("n"))
{
SendMail sendMail = new SendMail();
String mailCont="Dear "+username+"Thank you for requesting your account information. Please use the following Password to login to our services.Don't forget to change your password after

login.New Password: "+rand;
sendMail.send(email, "ForgetPassword", mailCont);

response.sendRedirect("/portal/page/portal/AMAF/Forget%20Your%20Password/Confirmation");

}
else
response.sendRedirect("/portal/page/portal/AMAF/Forget%20Your%20Password?error=y");

%>

Comment by Niran — 6 October 2009 #