Here is my scenario:
Sun EDS password policy is configured to trigger warning message when password is about to expire with 10 days. User whose password is going to expire within 10 days logs in to application protected by policy agent. OpenSSO redirect user to Sun IdM's anonResetPassword.jsp page. In Reset Password screen I entered not the current password in the Current password field but some fake password and created a new password in the NEW and Confirm fields and selected the Change Password button. The password reset works fine without validating the current password.
My question is:
(1) How to make sure that reset password should fail if user enters incorrect current password?
(2) Is anonResetPassword.jsp is the right page for password reset??
that jsp calls upon the AnonymousResetPasswordForm which we don't use, we use questions instead.
Just a question:
If they know the old password... why do they need to reset it anonymously?
I can't really follow the jsp file, not my kind of stuff :P and I cant really see where it verifies stuff from the form but it is including the bean
com.waveset.ui.web.common.AnonymousResetPasswordForm so I assume stuff is in there... or possibly in the login helper stuff
thats in the idmclient.jar if you want to figure it out :P