Reputation: 515
wso2 IS update password allows old password as new password
I am using wso2-is-5.1.0.When i use UserAdminStub changePasswordByUser webservice it allows me to use the old password as new password.Is this the expected behaviour or is there any config which can be set so that the wso2 throws an error when both new password and old password are same ?Most of the identity Management does not allow old password to be reset as new password.
Upvotes: 0
Views: 128
Answers (2)
Reputation: 464
Since WSO2 IS 5.1.0 does not support this OOTB, one workaround for this can be to implement org.wso2.carbon.user.core.listener.UserOperationEventListener [1] class's following methods.
doPreUpdateCredential
doPreUpdateCredentialByAdmin
Here when a user tries to update password or when an admin tries to update the password of a user, these methods get hit before performing the operation. Here we can do a validation and allow/not-allow the operation. The validation can be to maintain a table in the database for storing passwords (hashed) of the users that are previously set.
Upvotes: 0
Reputation: 641
Although this is not supported OOTB, you can create a new UserOperatoinEventListner to support this feature.
Thanks
Isura
Upvotes: 0
Related Questions
- Retrieve Password Policy Configuration from WSO2 Identity Server 6 in Custom Front-end
- How to change admin password for WSO2 APIM-3.2.0 and IS-5.10.0
- WSO2 IS whitespaces inside password policy
- WSO2 Share same user between two tenants
- WSO2 Identitiy Server Password change failing with "Can not access the directory service for user"
- Invalidating old Reset Password Links in WSO2 Identity Server
- Set WSO2 identity provider as default IDP for new applications
- WSO2 identity server - forgot / reset / email password