E1: SEC: 9.2 Web Sign-on Page accepts more than 10 characters with Disabled Long Password Feature
Last updated on MAY 30, 2017
Applies to:JD Edwards EnterpriseOne Tools - Version 9.2 and later
Information in this document applies to any platform.
The Web Sign-on Form accepts more than 10 characters in the password field when the Long Password functionality is disabled.
When changing the password, user can enter more than 10 characters and the system saves the new password FULLY, even though the Long Password Feature is disabled.
Steps to reproduce:
1. Create a new user UTEST.
2. Change the password for UTEST using P98OWSEC -> Admin password revision.
3. Select "Force Immediate password change" option before changing the password.
4. Login-in on Web client with user UTEST and the new password.
5. By design, it asks the user to change the old password.
6. In the "Change Password" form, enter a new password with more than 10 characters. E.g: Password entered UTEST1234567890 (15 characters)
7. The new password is accepted, even though it has more than 10 characters. No error or warning is displayed and the security table is updated with the new password - all 15 characters.
8. At the next login, the whole new password has to be entered(all 15 characters), otherwise the system throws an invalid password error.
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms